3.10.5

changelog.md

@@ -1,5 +1,31 @@
 # Changelog
 
+## 2025-02-24 - 3.10.5 - fix(portproxy)
+Fix incorrect import path in test file
+
+- Change import path from '../ts/smartproxy.portproxy.js' to '../ts/classes.portproxy.js' in test/test.portproxy.ts
+
+## 2025-02-23 - 3.10.4 - fix(PortProxy)
+Refactor connection tracking to utilize unified records in PortProxy
+
+- Implemented a unified record system for tracking incoming and outgoing connections.
+- Replaced individual connection tracking sets with a Set of IConnectionRecord.
+- Improved logging of connection activities and statistics.
+
+## 2025-02-23 - 3.10.3 - fix(PortProxy)
+Refactor and optimize PortProxy for improved readability and maintainability
+
+- Simplified and clarified inline comments.
+- Optimized the extractSNI function for better readability.
+- Streamlined the cleanup process for connections in PortProxy.
+- Improved handling and logging of incoming and outgoing connections.
+
+## 2025-02-23 - 3.10.2 - fix(PortProxy)
+Fix connection handling to include timeouts for SNI-enabled connections.
+
+- Added initial data timeout for SNI-enabled connections to improve connection handling.
+- Cleared timeout once data is received to prevent premature socket closure.
+
 ## 2025-02-22 - 3.10.1 - fix(PortProxy)
 Improve socket cleanup logic to prevent potential resource leaks
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.10.1",
+  "version": "3.10.5",
   "private": false,
   "description": "a proxy for handling high workloads of proxying",
   "main": "dist_ts/index.js",

test/test.portproxy.ts

@@ -1,6 +1,6 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import * as net from 'net';
-import { PortProxy } from '../ts/smartproxy.portproxy.js';
+import { PortProxy } from '../ts/classes.portproxy.js';
 
 let testServer: net.Server;
 let portProxy: PortProxy;

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.10.1',
+  version: '3.10.5',
   description: 'a proxy for handling high workloads of proxying'
 }

ts/classes.networkproxy.ts

@@ -1,5 +1,5 @@
 import * as plugins from './plugins.js';
-import { ProxyRouter } from './smartproxy.classes.router.js';
+import { ProxyRouter } from './classes.router.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';

ts/classes.port80handler.ts

@@ -0,0 +1,212 @@
+import * as http from 'http';
+import * as acme from 'acme-client';
+
+interface IDomainCertificate {
+  certObtained: boolean;
+  obtainingInProgress: boolean;
+  certificate?: string;
+  privateKey?: string;
+  challengeToken?: string;
+  challengeKeyAuthorization?: string;
+}
+
+export class Port80Handler {
+  private domainCertificates: Map<string, IDomainCertificate>;
+  private server: http.Server;
+  private acmeClient: acme.Client | null = null;
+  private accountKey: string | null = null;
+
+  constructor() {
+    this.domainCertificates = new Map<string, IDomainCertificate>();
+
+    // Create and start an HTTP server on port 80.
+    this.server = http.createServer((req, res) => this.handleRequest(req, res));
+    this.server.listen(80, () => {
+      console.log('Port80Handler is listening on port 80');
+    });
+  }
+
+  /**
+   * Adds a domain to be managed.
+   * @param domain The domain to add.
+   */
+  public addDomain(domain: string): void {
+    if (!this.domainCertificates.has(domain)) {
+      this.domainCertificates.set(domain, { certObtained: false, obtainingInProgress: false });
+      console.log(`Domain added: ${domain}`);
+    }
+  }
+
+  /**
+   * Removes a domain from management.
+   * @param domain The domain to remove.
+   */
+  public removeDomain(domain: string): void {
+    if (this.domainCertificates.delete(domain)) {
+      console.log(`Domain removed: ${domain}`);
+    }
+  }
+
+  /**
+   * Lazy initialization of the ACME client.
+   * Uses Let’s Encrypt’s production directory (for testing you might switch to staging).
+   */
+  private async getAcmeClient(): Promise<acme.Client> {
+    if (this.acmeClient) {
+      return this.acmeClient;
+    }
+    // Generate a new account key.
+    this.accountKey = await acme.forge.createPrivateKey();
+    this.acmeClient = new acme.Client({
+      directoryUrl: acme.directory.letsencrypt.production, // Use production for a real certificate
+      // For testing, you could use:
+      // directoryUrl: acme.directory.letsencrypt.staging,
+      accountKey: this.accountKey,
+    });
+    // Create a new account. Make sure to update the contact email.
+    await this.acmeClient.createAccount({
+      termsOfServiceAgreed: true,
+      contact: ['mailto:admin@example.com'],
+    });
+    return this.acmeClient;
+  }
+
+  /**
+   * Handles incoming HTTP requests on port 80.
+   * If the request is for an ACME challenge, it responds with the key authorization.
+   * If the domain has a certificate, it redirects to HTTPS; otherwise, it initiates certificate issuance.
+   */
+  private handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
+    const hostHeader = req.headers.host;
+    if (!hostHeader) {
+      res.statusCode = 400;
+      res.end('Bad Request: Host header is missing');
+      return;
+    }
+    // Extract domain (ignoring any port in the Host header)
+    const domain = hostHeader.split(':')[0];
+
+    // If the request is for an ACME HTTP-01 challenge, handle it.
+    if (req.url && req.url.startsWith('/.well-known/acme-challenge/')) {
+      this.handleAcmeChallenge(req, res, domain);
+      return;
+    }
+
+    if (!this.domainCertificates.has(domain)) {
+      res.statusCode = 404;
+      res.end('Domain not configured');
+      return;
+    }
+
+    const domainInfo = this.domainCertificates.get(domain)!;
+
+    // If certificate exists, redirect to HTTPS on port 443.
+    if (domainInfo.certObtained) {
+      const redirectUrl = `https://${domain}:443${req.url}`;
+      res.statusCode = 301;
+      res.setHeader('Location', redirectUrl);
+      res.end(`Redirecting to ${redirectUrl}`);
+    } else {
+      // Trigger certificate issuance if not already running.
+      if (!domainInfo.obtainingInProgress) {
+        domainInfo.obtainingInProgress = true;
+        this.obtainCertificate(domain).catch(err => {
+          console.error(`Error obtaining certificate for ${domain}:`, err);
+        });
+      }
+      res.statusCode = 503;
+      res.end('Certificate issuance in progress, please try again later.');
+    }
+  }
+
+  /**
+   * Serves the ACME HTTP-01 challenge response.
+   */
+  private handleAcmeChallenge(req: http.IncomingMessage, res: http.ServerResponse, domain: string): void {
+    const domainInfo = this.domainCertificates.get(domain);
+    if (!domainInfo) {
+      res.statusCode = 404;
+      res.end('Domain not configured');
+      return;
+    }
+    // The token is the last part of the URL.
+    const urlParts = req.url?.split('/');
+    const token = urlParts ? urlParts[urlParts.length - 1] : '';
+    if (domainInfo.challengeToken === token && domainInfo.challengeKeyAuthorization) {
+      res.statusCode = 200;
+      res.setHeader('Content-Type', 'text/plain');
+      res.end(domainInfo.challengeKeyAuthorization);
+      console.log(`Served ACME challenge response for ${domain}`);
+    } else {
+      res.statusCode = 404;
+      res.end('Challenge token not found');
+    }
+  }
+
+  /**
+   * Uses acme-client to perform a full ACME HTTP-01 challenge to obtain a certificate.
+   * On success, it stores the certificate and key in memory and clears challenge data.
+   */
+  private async obtainCertificate(domain: string): Promise<void> {
+    try {
+      const client = await this.getAcmeClient();
+
+      // Create a new order for the domain.
+      const order = await client.createOrder({
+        identifiers: [{ type: 'dns', value: domain }],
+      });
+
+      // Get the authorizations for the order.
+      const authorizations = await client.getAuthorizations(order);
+      for (const authz of authorizations) {
+        const challenge = authz.challenges.find(ch => ch.type === 'http-01');
+        if (!challenge) {
+          throw new Error('HTTP-01 challenge not found');
+        }
+        // Get the key authorization for the challenge.
+        const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
+        const domainInfo = this.domainCertificates.get(domain)!;
+        domainInfo.challengeToken = challenge.token;
+        domainInfo.challengeKeyAuthorization = keyAuthorization;
+
+        // Notify the ACME server that the challenge is ready.
+        await client.verifyChallenge(authz, challenge, keyAuthorization);
+        await client.completeChallenge(challenge);
+        // Wait until the challenge is validated.
+        await client.waitForValidStatus(challenge);
+        console.log(`HTTP-01 challenge completed for ${domain}`);
+      }
+
+      // Generate a CSR and a new private key for the domain.
+      const [csr, privateKey] = await acme.forge.createCsr({
+        commonName: domain,
+      });
+
+      // Finalize the order and obtain the certificate.
+      await client.finalizeOrder(order, csr);
+      const certificate = await client.getCertificate(order);
+
+      const domainInfo = this.domainCertificates.get(domain)!;
+      domainInfo.certificate = certificate;
+      domainInfo.privateKey = privateKey;
+      domainInfo.certObtained = true;
+      domainInfo.obtainingInProgress = false;
+      delete domainInfo.challengeToken;
+      delete domainInfo.challengeKeyAuthorization;
+
+      console.log(`Certificate obtained for ${domain}`);
+      // In a real application, you would persist the certificate and key,
+      // then reload your TLS server with the new credentials.
+    } catch (error) {
+      console.error(`Error during certificate issuance for ${domain}:`, error);
+      const domainInfo = this.domainCertificates.get(domain);
+      if (domainInfo) {
+        domainInfo.obtainingInProgress = false;
+      }
+    }
+  }
+}
+
+// Example usage:
+// const handler = new Port80Handler();
+// handler.addDomain('example.com');

ts/classes.portproxy.ts

@@ -0,0 +1,352 @@
+import * as plugins from './plugins.js';
+
+export interface IDomainConfig {
+  domain: string;         // Glob pattern for domain
+  allowedIPs: string[];   // Glob patterns for allowed IPs
+  targetIP?: string;      // Optional target IP for this domain
+}
+
+export interface IProxySettings extends plugins.tls.TlsOptions {
+  fromPort: number;
+  toPort: number;
+  toHost?: string; // Target host to proxy to, defaults to 'localhost'
+  domains: IDomainConfig[];
+  sniEnabled?: boolean;
+  defaultAllowedIPs?: string[];
+  preserveSourceIP?: boolean;
+}
+
+/**
+ * Extracts the SNI (Server Name Indication) from a TLS ClientHello packet.
+ * @param buffer - Buffer containing the TLS ClientHello.
+ * @returns The server name if found, otherwise undefined.
+ */
+function extractSNI(buffer: Buffer): string | undefined {
+  let offset = 0;
+  if (buffer.length < 5) return undefined;
+
+  const recordType = buffer.readUInt8(0);
+  if (recordType !== 22) return undefined; // 22 = handshake
+
+  const recordLength = buffer.readUInt16BE(3);
+  if (buffer.length < 5 + recordLength) return undefined;
+
+  offset = 5;
+  const handshakeType = buffer.readUInt8(offset);
+  if (handshakeType !== 1) return undefined; // 1 = ClientHello
+
+  offset += 4; // Skip handshake header (type + length)
+  offset += 2 + 32; // Skip client version and random
+
+  const sessionIDLength = buffer.readUInt8(offset);
+  offset += 1 + sessionIDLength; // Skip session ID
+
+  const cipherSuitesLength = buffer.readUInt16BE(offset);
+  offset += 2 + cipherSuitesLength; // Skip cipher suites
+
+  const compressionMethodsLength = buffer.readUInt8(offset);
+  offset += 1 + compressionMethodsLength; // Skip compression methods
+
+  if (offset + 2 > buffer.length) return undefined;
+  const extensionsLength = buffer.readUInt16BE(offset);
+  offset += 2;
+  const extensionsEnd = offset + extensionsLength;
+
+  while (offset + 4 <= extensionsEnd) {
+    const extensionType = buffer.readUInt16BE(offset);
+    const extensionLength = buffer.readUInt16BE(offset + 2);
+    offset += 4;
+    if (extensionType === 0x0000) { // SNI extension
+      if (offset + 2 > buffer.length) return undefined;
+      const sniListLength = buffer.readUInt16BE(offset);
+      offset += 2;
+      const sniListEnd = offset + sniListLength;
+      while (offset + 3 < sniListEnd) {
+        const nameType = buffer.readUInt8(offset++);
+        const nameLen = buffer.readUInt16BE(offset);
+        offset += 2;
+        if (nameType === 0) { // host_name
+          if (offset + nameLen > buffer.length) return undefined;
+          return buffer.toString('utf8', offset, offset + nameLen);
+        }
+        offset += nameLen;
+      }
+      break;
+    } else {
+      offset += extensionLength;
+    }
+  }
+  return undefined;
+}
+
+interface IConnectionRecord {
+  incoming: plugins.net.Socket;
+  outgoing: plugins.net.Socket | null;
+  incomingStartTime: number;
+  outgoingStartTime?: number;
+  connectionClosed: boolean;
+}
+
+export class PortProxy {
+  netServer: plugins.net.Server;
+  settings: IProxySettings;
+  // Unified record tracking each connection pair.
+  private connectionRecords: Set<IConnectionRecord> = new Set();
+  private connectionLogger: NodeJS.Timeout | null = null;
+
+  private terminationStats: {
+    incoming: Record<string, number>;
+    outgoing: Record<string, number>;
+  } = {
+    incoming: {},
+    outgoing: {},
+  };
+
+  constructor(settings: IProxySettings) {
+    this.settings = {
+      ...settings,
+      toHost: settings.toHost || 'localhost',
+    };
+  }
+
+  private incrementTerminationStat(side: 'incoming' | 'outgoing', reason: string): void {
+    this.terminationStats[side][reason] = (this.terminationStats[side][reason] || 0) + 1;
+  }
+
+  public async start() {
+    // Helper to forcefully destroy sockets.
+    const cleanUpSockets = (socketA: plugins.net.Socket, socketB?: plugins.net.Socket) => {
+      if (!socketA.destroyed) socketA.destroy();
+      if (socketB && !socketB.destroyed) socketB.destroy();
+    };
+
+    // Normalize an IP to include both IPv4 and IPv6 representations.
+    const normalizeIP = (ip: string): string[] => {
+      if (ip.startsWith('::ffff:')) {
+        const ipv4 = ip.slice(7);
+        return [ip, ipv4];
+      }
+      if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+        return [ip, `::ffff:${ip}`];
+      }
+      return [ip];
+    };
+
+    // Check if a given IP matches any of the glob patterns.
+    const isAllowed = (ip: string, patterns: string[]): boolean => {
+      const normalizedIPVariants = normalizeIP(ip);
+      const expandedPatterns = patterns.flatMap(normalizeIP);
+      return normalizedIPVariants.some(ipVariant =>
+        expandedPatterns.some(pattern => plugins.minimatch(ipVariant, pattern))
+      );
+    };
+
+    // Find a matching domain config based on the SNI.
+    const findMatchingDomain = (serverName: string): IDomainConfig | undefined =>
+      this.settings.domains.find(config => plugins.minimatch(serverName, config.domain));
+
+    this.netServer = plugins.net.createServer((socket: plugins.net.Socket) => {
+      const remoteIP = socket.remoteAddress || '';
+      const connectionRecord: IConnectionRecord = {
+        incoming: socket,
+        outgoing: null,
+        incomingStartTime: Date.now(),
+        connectionClosed: false,
+      };
+      this.connectionRecords.add(connectionRecord);
+      console.log(`New connection from ${remoteIP}. Active connections: ${this.connectionRecords.size}`);
+
+      let initialDataReceived = false;
+      let incomingTerminationReason: string | null = null;
+      let outgoingTerminationReason: string | null = null;
+
+      // Ensure cleanup happens only once for the entire connection record.
+      const cleanupOnce = () => {
+        if (!connectionRecord.connectionClosed) {
+          connectionRecord.connectionClosed = true;
+          cleanUpSockets(connectionRecord.incoming, connectionRecord.outgoing || undefined);
+          this.connectionRecords.delete(connectionRecord);
+          console.log(`Connection from ${remoteIP} terminated. Active connections: ${this.connectionRecords.size}`);
+        }
+      };
+
+      // Helper to reject an incoming connection.
+      const rejectIncomingConnection = (reason: string, logMessage: string) => {
+        console.log(logMessage);
+        socket.end();
+        if (incomingTerminationReason === null) {
+          incomingTerminationReason = reason;
+          this.incrementTerminationStat('incoming', reason);
+        }
+        cleanupOnce();
+      };
+
+      socket.on('error', (err: Error) => {
+        const errorMessage = initialDataReceived
+          ? `(Immediate) Incoming socket error from ${remoteIP}: ${err.message}`
+          : `(Premature) Incoming socket error from ${remoteIP} before data received: ${err.message}`;
+        console.log(errorMessage);
+      });
+
+      const handleError = (side: 'incoming' | 'outgoing') => (err: Error) => {
+        const code = (err as any).code;
+        let reason = 'error';
+        if (code === 'ECONNRESET') {
+          reason = 'econnreset';
+          console.log(`ECONNRESET on ${side} side from ${remoteIP}: ${err.message}`);
+        } else {
+          console.log(`Error on ${side} side from ${remoteIP}: ${err.message}`);
+        }
+        if (side === 'incoming' && incomingTerminationReason === null) {
+          incomingTerminationReason = reason;
+          this.incrementTerminationStat('incoming', reason);
+        } else if (side === 'outgoing' && outgoingTerminationReason === null) {
+          outgoingTerminationReason = reason;
+          this.incrementTerminationStat('outgoing', reason);
+        }
+        cleanupOnce();
+      };
+
+      const handleClose = (side: 'incoming' | 'outgoing') => () => {
+        console.log(`Connection closed on ${side} side from ${remoteIP}`);
+        if (side === 'incoming' && incomingTerminationReason === null) {
+          incomingTerminationReason = 'normal';
+          this.incrementTerminationStat('incoming', 'normal');
+        } else if (side === 'outgoing' && outgoingTerminationReason === null) {
+          outgoingTerminationReason = 'normal';
+          this.incrementTerminationStat('outgoing', 'normal');
+        }
+        cleanupOnce();
+      };
+
+      const setupConnection = (serverName: string, initialChunk?: Buffer) => {
+        const defaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
+
+        if (!defaultAllowed && serverName) {
+          const domainConfig = findMatchingDomain(serverName);
+          if (!domainConfig) {
+            return rejectIncomingConnection('rejected', `Connection rejected: No matching domain config for ${serverName} from ${remoteIP}`);
+          }
+          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
+            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
+          }
+        } else if (!defaultAllowed && !serverName) {
+          return rejectIncomingConnection('rejected', `Connection rejected: No SNI and IP ${remoteIP} not in default allowed list`);
+        } else if (defaultAllowed && !serverName) {
+          console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
+        }
+
+        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
+        const targetHost = domainConfig?.targetIP || this.settings.toHost!;
+        const connectionOptions: plugins.net.NetConnectOpts = {
+          host: targetHost,
+          port: this.settings.toPort,
+        };
+        if (this.settings.preserveSourceIP) {
+          connectionOptions.localAddress = remoteIP.replace('::ffff:', '');
+        }
+
+        const targetSocket = plugins.net.connect(connectionOptions);
+        connectionRecord.outgoing = targetSocket;
+        connectionRecord.outgoingStartTime = Date.now();
+
+        console.log(
+          `Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}` +
+          `${serverName ? ` (SNI: ${serverName})` : ''}`
+        );
+
+        if (initialChunk) {
+          socket.unshift(initialChunk);
+        }
+        socket.setTimeout(120000);
+        socket.pipe(targetSocket);
+        targetSocket.pipe(socket);
+
+        socket.on('error', handleError('incoming'));
+        targetSocket.on('error', handleError('outgoing'));
+        socket.on('close', handleClose('incoming'));
+        targetSocket.on('close', handleClose('outgoing'));
+        socket.on('timeout', () => {
+          console.log(`Timeout on incoming side from ${remoteIP}`);
+          if (incomingTerminationReason === null) {
+            incomingTerminationReason = 'timeout';
+            this.incrementTerminationStat('incoming', 'timeout');
+          }
+          cleanupOnce();
+        });
+        targetSocket.on('timeout', () => {
+          console.log(`Timeout on outgoing side from ${remoteIP}`);
+          if (outgoingTerminationReason === null) {
+            outgoingTerminationReason = 'timeout';
+            this.incrementTerminationStat('outgoing', 'timeout');
+          }
+          cleanupOnce();
+        });
+        socket.on('end', handleClose('incoming'));
+        targetSocket.on('end', handleClose('outgoing'));
+      };
+
+      if (this.settings.sniEnabled) {
+        socket.setTimeout(5000, () => {
+          console.log(`Initial data timeout for ${remoteIP}`);
+          socket.end();
+          cleanupOnce();
+        });
+
+        socket.once('data', (chunk: Buffer) => {
+          socket.setTimeout(0);
+          initialDataReceived = true;
+          const serverName = extractSNI(chunk) || '';
+          console.log(`Received connection from ${remoteIP} with SNI: ${serverName}`);
+          setupConnection(serverName, chunk);
+        });
+      } else {
+        initialDataReceived = true;
+        if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+          return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+        }
+        setupConnection('');
+      }
+    })
+      .on('error', (err: Error) => {
+        console.log(`Server Error: ${err.message}`);
+      })
+      .listen(this.settings.fromPort, () => {
+        console.log(
+          `PortProxy -> OK: Now listening on port ${this.settings.fromPort}` +
+          `${this.settings.sniEnabled ? ' (SNI passthrough enabled)' : ''}`
+        );
+      });
+
+    // Every 10 seconds log active connection count and longest running durations.
+    this.connectionLogger = setInterval(() => {
+      const now = Date.now();
+      let maxIncoming = 0;
+      let maxOutgoing = 0;
+      for (const record of this.connectionRecords) {
+        maxIncoming = Math.max(maxIncoming, now - record.incomingStartTime);
+        if (record.outgoingStartTime) {
+          maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
+        }
+      }
+      console.log(
+        `(Interval Log) Active connections: ${this.connectionRecords.size}. ` +
+        `Longest running incoming: ${plugins.prettyMs(maxIncoming)}, outgoing: ${plugins.prettyMs(maxOutgoing)}. ` +
+        `Termination stats (incoming): ${JSON.stringify(this.terminationStats.incoming)}, ` +
+        `(outgoing): ${JSON.stringify(this.terminationStats.outgoing)}`
+      );
+    }, 10000);
+  }
+
+  public async stop() {
+    const done = plugins.smartpromise.defer();
+    this.netServer.close(() => {
+      done.resolve();
+    });
+    if (this.connectionLogger) {
+      clearInterval(this.connectionLogger);
+      this.connectionLogger = null;
+    }
+    await done.promise;
+  }
+}

ts/index.ts

@@ -1,3 +1,3 @@
-export * from './smartproxy.classes.networkproxy.js';
-export * from './smartproxy.portproxy.js';
-export * from './smartproxy.classes.sslredirect.js';
+export * from './classes.networkproxy.js';
+export * from './classes.portproxy.js';
+export * from './classes.sslredirect.js';

ts/smartproxy.portproxy.ts

@@ -1,422 +0,0 @@
-import * as plugins from './plugins.js';
-
-export interface IDomainConfig {
-  domain: string;         // glob pattern for domain
-  allowedIPs: string[];   // glob patterns for IPs allowed to access this domain
-  targetIP?: string;      // Optional target IP for this domain
-}
-
-export interface IProxySettings extends plugins.tls.TlsOptions {
-  // Port configuration
-  fromPort: number;
-  toPort: number;
-  toHost?: string;        // Target host to proxy to, defaults to 'localhost'
-
-  // Domain and security settings
-  domains: IDomainConfig[];
-  sniEnabled?: boolean;
-  defaultAllowedIPs?: string[]; // Optional default IP patterns if no matching domain found
-  preserveSourceIP?: boolean;   // Whether to preserve the client's source IP when proxying
-}
-
-/**
- * Extract SNI (Server Name Indication) from a TLS ClientHello packet.
- * Returns the server name if found, or undefined.
- */
-function extractSNI(buffer: Buffer): string | undefined {
-  let offset = 0;
-  // We need at least 5 bytes for the record header.
-  if (buffer.length < 5) {
-    return undefined;
-  }
-
-  // TLS record header
-  const recordType = buffer.readUInt8(0);
-  if (recordType !== 22) { // 22 = handshake
-    return undefined;
-  }
-  // Read record length
-  const recordLength = buffer.readUInt16BE(3);
-  if (buffer.length < 5 + recordLength) {
-    // Not all data arrived yet; in production you might need to accumulate more data.
-    return undefined;
-  }
-
-  offset = 5;
-  // Handshake message type should be 1 for ClientHello.
-  const handshakeType = buffer.readUInt8(offset);
-  if (handshakeType !== 1) {
-    return undefined;
-  }
-  // Skip handshake header (1 byte type + 3 bytes length)
-  offset += 4;
-
-  // Skip client version (2 bytes) and random (32 bytes)
-  offset += 2 + 32;
-
-  // Session ID
-  const sessionIDLength = buffer.readUInt8(offset);
-  offset += 1 + sessionIDLength;
-
-  // Cipher suites
-  const cipherSuitesLength = buffer.readUInt16BE(offset);
-  offset += 2 + cipherSuitesLength;
-
-  // Compression methods
-  const compressionMethodsLength = buffer.readUInt8(offset);
-  offset += 1 + compressionMethodsLength;
-
-  // Extensions length
-  if (offset + 2 > buffer.length) {
-    return undefined;
-  }
-  const extensionsLength = buffer.readUInt16BE(offset);
-  offset += 2;
-  const extensionsEnd = offset + extensionsLength;
-
-  // Iterate over extensions
-  while (offset + 4 <= extensionsEnd) {
-    const extensionType = buffer.readUInt16BE(offset);
-    const extensionLength = buffer.readUInt16BE(offset + 2);
-    offset += 4;
-
-    // Check for SNI extension (type 0)
-    if (extensionType === 0x0000) {
-      // SNI extension: first 2 bytes are the SNI list length.
-      if (offset + 2 > buffer.length) {
-        return undefined;
-      }
-      const sniListLength = buffer.readUInt16BE(offset);
-      offset += 2;
-      const sniListEnd = offset + sniListLength;
-      // Loop through the list; typically there is one entry.
-      while (offset + 3 < sniListEnd) {
-        const nameType = buffer.readUInt8(offset);
-        offset++;
-        const nameLen = buffer.readUInt16BE(offset);
-        offset += 2;
-        if (nameType === 0) { // host_name
-          if (offset + nameLen > buffer.length) {
-            return undefined;
-          }
-          const serverName = buffer.toString('utf8', offset, offset + nameLen);
-          return serverName;
-        }
-        offset += nameLen;
-      }
-      break;
-    } else {
-      offset += extensionLength;
-    }
-  }
-  return undefined;
-}
-
-export class PortProxy {
-  netServer: plugins.net.Server;
-  settings: IProxySettings;
-  // Track active incoming connections
-  private activeConnections: Set<plugins.net.Socket> = new Set();
-  // Record start times for incoming connections
-  private incomingConnectionTimes: Map<plugins.net.Socket, number> = new Map();
-  // Record start times for outgoing connections
-  private outgoingConnectionTimes: Map<plugins.net.Socket, number> = new Map();
-  private connectionLogger: NodeJS.Timeout | null = null;
-
-  // Overall termination statistics
-  private terminationStats: {
-    incoming: Record<string, number>;
-    outgoing: Record<string, number>;
-  } = {
-    incoming: {},
-    outgoing: {},
-  };
-
-  constructor(settings: IProxySettings) {
-    this.settings = {
-      ...settings,
-      toHost: settings.toHost || 'localhost'
-    };
-  }
-
-  // Helper to update termination stats.
-  private incrementTerminationStat(side: 'incoming' | 'outgoing', reason: string): void {
-    if (!this.terminationStats[side][reason]) {
-      this.terminationStats[side][reason] = 1;
-    } else {
-      this.terminationStats[side][reason]++;
-    }
-  }
-
-  public async start() {
-    // Adjusted cleanUpSockets: forcefully destroy both sockets if they haven't been destroyed.
-    const cleanUpSockets = (from: plugins.net.Socket, to?: plugins.net.Socket) => {
-      if (!from.destroyed) {
-        from.destroy();
-      }
-      if (to && !to.destroyed) {
-        to.destroy();
-      }
-    };
-
-    const normalizeIP = (ip: string): string[] => {
-      // Handle IPv4-mapped IPv6 addresses
-      if (ip.startsWith('::ffff:')) {
-        const ipv4 = ip.slice(7); // Remove '::ffff:' prefix
-        return [ip, ipv4];
-      }
-      // Handle IPv4 addresses by adding IPv4-mapped IPv6 variant
-      if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
-        return [ip, `::ffff:${ip}`];
-      }
-      return [ip];
-    };
-
-    const isAllowed = (value: string, patterns: string[]): boolean => {
-      // Expand patterns to include both IPv4 and IPv6 variants
-      const expandedPatterns = patterns.flatMap(normalizeIP);
-      // Check if any variant of the IP matches any expanded pattern
-      return normalizeIP(value).some(ip =>
-        expandedPatterns.some(pattern => plugins.minimatch(ip, pattern))
-      );
-    };
-
-    const findMatchingDomain = (serverName: string): IDomainConfig | undefined => {
-      return this.settings.domains.find(config => plugins.minimatch(serverName, config.domain));
-    };
-
-    // Create a plain net server for TLS passthrough.
-    this.netServer = plugins.net.createServer((socket: plugins.net.Socket) => {
-      const remoteIP = socket.remoteAddress || '';
-
-      // Record start time for the incoming connection.
-      this.activeConnections.add(socket);
-      this.incomingConnectionTimes.set(socket, Date.now());
-      console.log(`New connection from ${remoteIP}. Active connections: ${this.activeConnections.size}`);
-
-      // Flag to detect if we've received the first data chunk.
-      let initialDataReceived = false;
-
-      // Local termination reason trackers for each side.
-      let incomingTermReason: string | null = null;
-      let outgoingTermReason: string | null = null;
-
-      // Immediately attach an error handler to catch early errors.
-      socket.on('error', (err: Error) => {
-        if (!initialDataReceived) {
-          console.log(`(Premature) Incoming socket error from ${remoteIP} before data received: ${err.message}`);
-        } else {
-          console.log(`(Immediate) Incoming socket error from ${remoteIP}: ${err.message}`);
-        }
-      });
-
-      // Ensure cleanup happens only once.
-      let connectionClosed = false;
-      const cleanupOnce = () => {
-        if (!connectionClosed) {
-          connectionClosed = true;
-          cleanUpSockets(socket, to || undefined);
-          this.incomingConnectionTimes.delete(socket);
-          if (to) {
-            this.outgoingConnectionTimes.delete(to);
-          }
-          if (this.activeConnections.has(socket)) {
-            this.activeConnections.delete(socket);
-            console.log(`Connection from ${remoteIP} terminated. Active connections: ${this.activeConnections.size}`);
-          }
-        }
-      };
-
-      // Outgoing connection placeholder.
-      let to: plugins.net.Socket | null = null;
-
-      // Handle errors by recording termination reason and cleaning up.
-      const handleError = (side: 'incoming' | 'outgoing') => (err: Error) => {
-        const code = (err as any).code;
-        let reason = 'error';
-        if (code === 'ECONNRESET') {
-          reason = 'econnreset';
-          console.log(`ECONNRESET on ${side} side from ${remoteIP}: ${err.message}`);
-        } else {
-          console.log(`Error on ${side} side from ${remoteIP}: ${err.message}`);
-        }
-        if (side === 'incoming' && incomingTermReason === null) {
-          incomingTermReason = reason;
-          this.incrementTerminationStat('incoming', reason);
-        } else if (side === 'outgoing' && outgoingTermReason === null) {
-          outgoingTermReason = reason;
-          this.incrementTerminationStat('outgoing', reason);
-        }
-        cleanupOnce();
-      };
-
-      // Handle close events. If no termination reason was recorded, mark as "normal".
-      const handleClose = (side: 'incoming' | 'outgoing') => () => {
-        console.log(`Connection closed on ${side} side from ${remoteIP}`);
-        if (side === 'incoming' && incomingTermReason === null) {
-          incomingTermReason = 'normal';
-          this.incrementTerminationStat('incoming', 'normal');
-        } else if (side === 'outgoing' && outgoingTermReason === null) {
-          outgoingTermReason = 'normal';
-          this.incrementTerminationStat('outgoing', 'normal');
-        }
-        cleanupOnce();
-      };
-
-      // Setup connection, optionally accepting the initial data chunk.
-      const setupConnection = (serverName: string, initialChunk?: Buffer) => {
-        // Check if the IP is allowed by default.
-        const isDefaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
-        if (!isDefaultAllowed && serverName) {
-          const domainConfig = findMatchingDomain(serverName);
-          if (!domainConfig) {
-            console.log(`Connection rejected: No matching domain config for ${serverName} from ${remoteIP}`);
-            socket.end();
-            if (incomingTermReason === null) {
-              incomingTermReason = 'rejected';
-              this.incrementTerminationStat('incoming', 'rejected');
-            }
-            cleanupOnce();
-            return;
-          }
-          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-            console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-            socket.end();
-            if (incomingTermReason === null) {
-              incomingTermReason = 'rejected';
-              this.incrementTerminationStat('incoming', 'rejected');
-            }
-            cleanupOnce();
-            return;
-          }
-        } else if (!isDefaultAllowed && !serverName) {
-          console.log(`Connection rejected: No SNI and IP ${remoteIP} not in default allowed list`);
-          socket.end();
-          if (incomingTermReason === null) {
-            incomingTermReason = 'rejected';
-            this.incrementTerminationStat('incoming', 'rejected');
-          }
-          cleanupOnce();
-          return;
-        } else {
-          console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
-        }
-
-        // Determine target host.
-        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
-        const targetHost = domainConfig?.targetIP || this.settings.toHost!;
-
-        // Create connection options.
-        const connectionOptions: plugins.net.NetConnectOpts = {
-          host: targetHost,
-          port: this.settings.toPort,
-        };
-        if (this.settings.preserveSourceIP) {
-          connectionOptions.localAddress = remoteIP.replace('::ffff:', '');
-        }
-
-        // Establish outgoing connection.
-        to = plugins.net.connect(connectionOptions);
-        if (to) {
-          this.outgoingConnectionTimes.set(to, Date.now());
-        }
-        console.log(`Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
-        
-        // Push back the initial chunk if provided.
-        if (initialChunk) {
-          socket.unshift(initialChunk);
-        }
-        socket.setTimeout(120000);
-        socket.pipe(to!);
-        to!.pipe(socket);
-
-        // Attach event handlers for both sockets.
-        socket.on('error', handleError('incoming'));
-        to!.on('error', handleError('outgoing'));
-        socket.on('close', handleClose('incoming'));
-        to!.on('close', handleClose('outgoing'));
-        socket.on('timeout', () => {
-          console.log(`Timeout on incoming side from ${remoteIP}`);
-          if (incomingTermReason === null) {
-            incomingTermReason = 'timeout';
-            this.incrementTerminationStat('incoming', 'timeout');
-          }
-          cleanupOnce();
-        });
-        to!.on('timeout', () => {
-          console.log(`Timeout on outgoing side from ${remoteIP}`);
-          if (outgoingTermReason === null) {
-            outgoingTermReason = 'timeout';
-            this.incrementTerminationStat('outgoing', 'timeout');
-          }
-          cleanupOnce();
-        });
-        socket.on('end', handleClose('incoming'));
-        to!.on('end', handleClose('outgoing'));
-      };
-
-      // For SNI-enabled connections, peek at the first chunk.
-      if (this.settings.sniEnabled) {
-        socket.once('data', (chunk: Buffer) => {
-          initialDataReceived = true;
-          const serverName = extractSNI(chunk) || '';
-          console.log(`Received connection from ${remoteIP} with SNI: ${serverName}`);
-          setupConnection(serverName, chunk);
-        });
-      } else {
-        // For non-SNI connections, simply check defaultAllowedIPs.
-        initialDataReceived = true;
-        if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-          console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
-          socket.end();
-          if (incomingTermReason === null) {
-            incomingTermReason = 'rejected';
-            this.incrementTerminationStat('incoming', 'rejected');
-          }
-          cleanupOnce();
-          return;
-        }
-        setupConnection('');
-      }
-    })
-    .on('error', (err: Error) => {
-      console.log(`Server Error: ${err.message}`);
-    })
-    .listen(this.settings.fromPort, () => {
-      console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}${this.settings.sniEnabled ? ' (SNI passthrough enabled)' : ''}`);
-    });
-
-    // Log active connection count, longest running connection durations,
-    // and termination statistics every 10 seconds.
-    this.connectionLogger = setInterval(() => {
-      const now = Date.now();
-      let maxIncoming = 0;
-      for (const startTime of this.incomingConnectionTimes.values()) {
-        const duration = now - startTime;
-        if (duration > maxIncoming) {
-          maxIncoming = duration;
-        }
-      }
-      let maxOutgoing = 0;
-      for (const startTime of this.outgoingConnectionTimes.values()) {
-        const duration = now - startTime;
-        if (duration > maxOutgoing) {
-          maxOutgoing = duration;
-        }
-      }
-      console.log(`(Interval Log) Active connections: ${this.activeConnections.size}. Longest running incoming: ${plugins.prettyMs(maxIncoming)}, outgoing: ${plugins.prettyMs(maxOutgoing)}. Termination stats (incoming): ${JSON.stringify(this.terminationStats.incoming)}, (outgoing): ${JSON.stringify(this.terminationStats.outgoing)}`);
-    }, 10000);
-  }
-
-  public async stop() {
-    const done = plugins.smartpromise.defer();
-    this.netServer.close(() => {
-      done.resolve();
-    });
-    if (this.connectionLogger) {
-      clearInterval(this.connectionLogger);
-      this.connectionLogger = null;
-    }
-    await done.promise;
-  }
-}