3.22.0

changelog.md

@@ -1,5 +1,197 @@
 # Changelog
 
+## 2025-03-03 - 3.22.0 - feat(classes.portproxy)
+Enhanced PortProxy to support initial data timeout and improved IP handling
+
+- Added `initialDataTimeout` to PortProxy settings for handling data flow in chained proxies.
+- Improved IP validation by allowing relaxed checks in chained proxy setups.
+- Introduced dynamic logging for connection lifecycle and proxy configurations.
+- Enhanced timeout handling for better proxy resilience.
+
+## 2025-03-03 - 3.21.0 - feat(PortProxy)
+Enhancements to connection management in PortProxy
+
+- Introduced a unique ID for each connection record for improved tracking.
+- Enhanced cleanup mechanism for connections with dual states: initiated and executed.
+- Implemented shutdown process handling to ensure graceful connection closure.
+- Added logging for better tracing of connection activities and states.
+- Improved connection setup with explicit timeouts and data flow management.
+- Integrated inactivity and parity checks to monitor connection health.
+
+## 2025-03-01 - 3.20.2 - fix(PortProxy)
+Enhance connection cleanup handling in PortProxy
+
+- Add checks to ensure timers are reset only if outgoing socket is active
+- Prevent setting outgoingActive if the connection is already closed
+
+## 2025-03-01 - 3.20.1 - fix(PortProxy)
+Improve IP allowance check for forced domains
+
+- Enhanced IP allowance check logic by incorporating blocked IPs and default allowed IPs for forced domains within port proxy configurations.
+
+## 2025-03-01 - 3.20.0 - feat(PortProxy)
+Enhance PortProxy with advanced connection cleanup and logging
+
+- Introduced `cleanupConnection` method for improved connection management.
+- Added logging for connection cleanup including special conditions.
+- Implemented parity check to clean up connections when outgoing side closes but incoming remains active.
+- Improved logging during interval checks for active connections and their durations.
+
+## 2025-03-01 - 3.19.0 - feat(PortProxy)
+Enhance PortProxy with default blocked IPs
+
+- Introduced defaultBlockedIPs in IPortProxySettings to handle globally blocked IPs.
+- Added logic for merging domain-specific and default allowed and blocked IPs for effective IP filtering.
+- Refactored helper functions for IP and port range checks to improve modularity in PortProxy.
+
+## 2025-02-27 - 3.18.2 - fix(portproxy)
+Fixed typographical errors in comments within PortProxy class.
+
+- Corrected typographical errors in comments within the PortProxy class.
+
+## 2025-02-27 - 3.18.1 - fix(PortProxy)
+Refactor and enhance PortProxy test cases and handling
+
+- Refactored test cases in test/test.portproxy.ts for clarity and added coverage.
+- Improved TCP server helper functions for better flexibility.
+- Fixed issues with domain handling in PortProxy configuration.
+- Introduced round-robin logic for multi-IP domains in PortProxy.
+- Ensured proper cleanup and stopping of test servers in the test suite.
+
+## 2025-02-27 - 3.18.0 - feat(PortProxy)
+Add SNI-based renegotiation handling in PortProxy
+
+- Introduced a new field 'lockedDomain' in IConnectionRecord to store initial SNI.
+- Enhanced connection management by enforcing termination if rehandshake is detected with different SNI.
+
+## 2025-02-27 - 3.17.1 - fix(PortProxy)
+Fix handling of SNI re-negotiation in PortProxy
+
+- Removed connection locking to the initially negotiated SNI
+- Improved handling of SNI during renegotiation in PortProxy
+
+## 2025-02-27 - 3.17.0 - feat(smartproxy)
+Enhance description clarity and improve SNI handling with domain locking.
+
+- Improved package description in package.json, readme.md, and npmextra.json for better clarity and keyword optimization.
+- Enhanced SNI handling in PortProxy by adding domain locking and extra checks to terminate connections if a different SNI is detected post-handshake.
+- Refactored readme.md to better explain the usage and functionalities of the proxy features including SSL redirection, WebSocket handling, and dynamic routing.
+
+## 2025-02-27 - 3.16.9 - fix(portproxy)
+Extend domain input validation to support string arrays in port proxy configurations.
+
+- Modify IDomainConfig interface to allow domain specification as string array.
+- Update connection setup logic to handle multiple domain patterns.
+- Enhance domain rejection logging to include all domain patterns.
+
+## 2025-02-27 - 3.16.8 - fix(PortProxy)
+Fix IP filtering for domain and global default allowed lists and improve port-based routing logic.
+
+- Improved logic to prioritize domain-specific allowed IPs over global defaults.
+- Fixed port-based rules application to handle global port ranges more effectively.
+- Enhanced rejection handling for unauthorized IP addresses in both domain-specific and default global lists.
+
+## 2025-02-27 - 3.16.7 - fix(PortProxy)
+Improved IP validation logic in PortProxy to ensure correct domain matching and fallback
+
+- Refactored the setupConnection function inside PortProxy to enhance IP address validation.
+- Domain-specific allowed IP preference is applied before default list lookup.
+- Removed redundant condition checks to streamline connection rejection paths.
+
+## 2025-02-27 - 3.16.6 - fix(PortProxy)
+Optimize connection cleanup logic in PortProxy by removing unnecessary delays.
+
+- Removed multiple await plugins.smartdelay.delayFor(0) calls.
+- Improved performance by ensuring timely resource release during connection termination.
+
+## 2025-02-27 - 3.16.5 - fix(PortProxy)
+Improved connection cleanup process with added asynchronous delays
+
+- Connection cleanup now includes asynchronous delays for reliable order of operations.
+
+## 2025-02-27 - 3.16.4 - fix(PortProxy)
+Fix and enhance port proxy handling
+
+- Ensure that all created proxy servers are correctly checked for listening state.
+- Corrected the handling of ports and domain configurations within port proxy setups.
+- Expanded test coverage for handling multiple concurrent and chained proxy connections.
+
+## 2025-02-27 - 3.16.3 - fix(PortProxy)
+Refactored PortProxy to support multiple listening ports and improved modularity.
+
+- Updated PortProxy to allow multiple listening ports with flexible configuration.
+- Moved helper functions for IP and port range checks outside the class for cleaner code structure.
+
+## 2025-02-27 - 3.16.2 - fix(PortProxy)
+Fix port-based routing logic in PortProxy
+
+- Optimized the handling and checking of local ports in the global port range.
+- Fixed the logic for rejecting or accepting connections based on predefined port ranges.
+- Improved handling of the default and specific domain configurations during port-based connections.
+
+## 2025-02-27 - 3.16.1 - fix(core)
+Updated minor version numbers in dependencies for patch release.
+
+- No specific file changes detected.
+- Dependencies versioning adjusted for stability.
+
+## 2025-02-27 - 3.16.0 - feat(PortProxy)
+Enhancements made to PortProxy settings and capabilities
+
+- Added 'forwardAllGlobalRanges' and 'targetIP' to IPortProxySettings.
+- Improved PortProxy to forward connections based on domain-specific configurations.
+- Added comprehensive handling for global port-range based connection forwarding.
+- Enabled forwarding of all connections on global port ranges directly to global target IP.
+
+## 2025-02-27 - 3.15.0 - feat(classes.portproxy)
+Add support for port range-based routing with enhanced IP and port validation.
+
+- Introduced globalPortRanges in IPortProxySettings for routing based on port ranges.
+- Improved connection handling with port range and domain configuration validations.
+- Updated connection logging to include the local port information.
+
+## 2025-02-26 - 3.14.2 - fix(PortProxy)
+Fix cleanup timer reset for PortProxy
+
+- Resolved an issue where the cleanup timer in the PortProxy class did not reset correctly if both incoming and outgoing data events were triggered without clearing flags.
+
+## 2025-02-26 - 3.14.1 - fix(PortProxy)
+Increased default maxConnectionLifetime for PortProxy to 600000 ms
+
+- Updated PortProxy settings to extend default maxConnectionLifetime to 10 minutes.
+
+## 2025-02-26 - 3.14.0 - feat(PortProxy)
+Introduce max connection lifetime feature
+
+- Added an optional maxConnectionLifetime setting for PortProxy.
+- Forces cleanup of long-lived connections based on inactivity or lifetime limit.
+
+## 2025-02-25 - 3.13.0 - feat(core)
+Add support for tagging iptables rules with comments and cleaning them up on process exit
+
+- Extended IPTablesProxy class to include tagging rules with unique comments.
+- Added feature to clean up iptables rules via comments during process exit.
+
+## 2025-02-24 - 3.12.0 - feat(IPTablesProxy)
+Introduce IPTablesProxy class for managing iptables NAT rules
+
+- Added IPTablesProxy class to facilitate basic port forwarding using iptables.
+- Introduced IIpTableProxySettings interface for configuring IPTablesProxy.
+- Implemented start and stop methods for managing iptables rules dynamically.
+
+## 2025-02-24 - 3.11.0 - feat(Port80Handler)
+Add automatic certificate issuance with ACME client
+
+- Implemented automatic certificate issuance using 'acme-client' for Port80Handler.
+- Converts account key and CSR from Buffers to strings for processing.
+- Implemented HTTP-01 challenge handling for certificate acquisition.
+- New certificates are fetched and added dynamically.
+
+## 2025-02-24 - 3.10.5 - fix(portproxy)
+Fix incorrect import path in test file
+
+- Change import path from '../ts/smartproxy.portproxy.js' to '../ts/classes.portproxy.js' in test/test.portproxy.ts
+
 ## 2025-02-23 - 3.10.4 - fix(PortProxy)
 Refactor connection tracking to utilize unified records in PortProxy
 

npmextra.json

@@ -5,22 +5,26 @@
       "githost": "code.foss.global",
       "gitscope": "push.rocks",
       "gitrepo": "smartproxy",
-      "description": "a proxy for handling high workloads of proxying",
+      "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
       "npmPackagename": "@push.rocks/smartproxy",
       "license": "MIT",
       "projectDomain": "push.rocks",
       "keywords": [
         "proxy",
-        "network traffic",
+        "network",
+        "traffic management",
+        "SSL",
+        "TLS",
+        "WebSocket",
+        "port proxying",
+        "dynamic routing",
+        "authentication",
+        "real-time applications",
         "high workload",
-        "http",
-        "https",
-        "websocket",
-        "network routing",
-        "ssl redirect",
-        "port mapping",
+        "HTTPS",
         "reverse proxy",
-        "authentication"
+        "server",
+        "network security"
       ]
     }
   },

package.json

@@ -1,8 +1,8 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.10.4",
+  "version": "3.22.0",
   "private": false,
-  "description": "a proxy for handling high workloads of proxying",
+  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
   "main": "dist_ts/index.js",
   "typings": "dist_ts/index.d.ts",
   "type": "module",
@@ -31,6 +31,7 @@
     "@tsclass/tsclass": "^4.4.0",
     "@types/minimatch": "^5.1.2",
     "@types/ws": "^8.5.14",
+    "acme-client": "^5.4.0",
     "minimatch": "^9.0.3",
     "pretty-ms": "^9.2.0",
     "ws": "^8.18.0"
@@ -52,16 +53,20 @@
   ],
   "keywords": [
     "proxy",
-    "network traffic",
+    "network",
+    "traffic management",
+    "SSL",
+    "TLS",
+    "WebSocket",
+    "port proxying",
+    "dynamic routing",
+    "authentication",
+    "real-time applications",
     "high workload",
-    "http",
-    "https",
-    "websocket",
-    "network routing",
-    "ssl redirect",
-    "port mapping",
+    "HTTPS",
     "reverse proxy",
-    "authentication"
+    "server",
+    "network security"
   ],
   "homepage": "https://code.foss.global/push.rocks/smartproxy#readme",
   "repository": {

pnpm-lock.yaml

@@ -32,6 +32,9 @@ importers:
       '@types/ws':
         specifier: ^8.5.14
         version: 8.5.14
+      acme-client:
+        specifier: ^5.4.0
+        version: 5.4.0
       minimatch:
         specifier: ^9.0.3
         version: 9.0.5
@@ -683,6 +686,39 @@ packages:
   '@pdf-lib/upng@1.0.1':
     resolution: {integrity: sha512-dQK2FUMQtowVP00mtIksrlZhdFXQZPC+taih1q4CvPZ5vqdxR/LKBaFg0oAfzd1GlHZXXSPdQfzQnt+ViGvEIQ==}
 
+  '@peculiar/asn1-cms@2.3.15':
+    resolution: {integrity: sha512-B+DoudF+TCrxoJSTjjcY8Mmu+lbv8e7pXGWrhNp2/EGJp9EEcpzjBCar7puU57sGifyzaRVM03oD5L7t7PghQg==}
+
+  '@peculiar/asn1-csr@2.3.15':
+    resolution: {integrity: sha512-caxAOrvw2hUZpxzhz8Kp8iBYKsHbGXZPl2KYRMIPvAfFateRebS3136+orUpcVwHRmpXWX2kzpb6COlIrqCumA==}
+
+  '@peculiar/asn1-ecc@2.3.15':
+    resolution: {integrity: sha512-/HtR91dvgog7z/WhCVdxZJ/jitJuIu8iTqiyWVgRE9Ac5imt2sT/E4obqIVGKQw7PIy+X6i8lVBoT6wC73XUgA==}
+
+  '@peculiar/asn1-pfx@2.3.15':
+    resolution: {integrity: sha512-E3kzQe3J2xV9DP6SJS4X6/N1e4cYa2xOAK46VtvpaRk8jlheNri8v0rBezKFVPB1rz/jW8npO+u1xOvpATFMWg==}
+
+  '@peculiar/asn1-pkcs8@2.3.15':
+    resolution: {integrity: sha512-/PuQj2BIAw1/v76DV1LUOA6YOqh/UvptKLJHtec/DQwruXOCFlUo7k6llegn8N5BTeZTWMwz5EXruBw0Q10TMg==}
+
+  '@peculiar/asn1-pkcs9@2.3.15':
+    resolution: {integrity: sha512-yiZo/1EGvU1KiQUrbcnaPGWc0C7ElMMskWn7+kHsCFm+/9fU0+V1D/3a5oG0Jpy96iaXggQpA9tzdhnYDgjyFg==}
+
+  '@peculiar/asn1-rsa@2.3.15':
+    resolution: {integrity: sha512-p6hsanvPhexRtYSOHihLvUUgrJ8y0FtOM97N5UEpC+VifFYyZa0iZ5cXjTkZoDwxJ/TTJ1IJo3HVTB2JJTpXvg==}
+
+  '@peculiar/asn1-schema@2.3.15':
+    resolution: {integrity: sha512-QPeD8UA8axQREpgR5UTAfu2mqQmm97oUqahDtNdBcfj3qAnoXzFdQW+aNf/tD2WVXF8Fhmftxoj0eMIT++gX2w==}
+
+  '@peculiar/asn1-x509-attr@2.3.15':
+    resolution: {integrity: sha512-TWJVJhqc+IS4MTEML3l6W1b0sMowVqdsnI4dnojg96LvTuP8dga9f76fjP07MUuss60uSyT2ckoti/2qHXA10A==}
+
+  '@peculiar/asn1-x509@2.3.15':
+    resolution: {integrity: sha512-0dK5xqTqSLaxv1FHXIcd4Q/BZNuopg+u1l23hT9rOmQ1g4dNtw0g/RnEi+TboB0gOwGtrWn269v27cMgchFIIg==}
+
+  '@peculiar/x509@1.12.3':
+    resolution: {integrity: sha512-+Mzq+W7cNEKfkNZzyLl6A6ffqc3r21HGZUezgfKxpZrkORfOqgRXnS80Zu0IV6a9Ue9QBJeKD7kN0iWfc3bhRQ==}
+
   '@pkgjs/parseargs@0.11.0':
     resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==}
     engines: {node: '>=14'}
@@ -1563,6 +1599,10 @@ packages:
     resolution: {integrity: sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==}
     engines: {node: '>= 0.6'}
 
+  acme-client@5.4.0:
+    resolution: {integrity: sha512-mORqg60S8iML6XSmVjqjGHJkINrCGLMj2QvDmFzI9vIlv1RGlyjmw3nrzaINJjkNsYXC41XhhD5pfy7CtuGcbA==}
+    engines: {node: '>= 16'}
+
   agent-base@6.0.2:
     resolution: {integrity: sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==}
     engines: {node: '>= 6.0.0'}
@@ -1626,6 +1666,10 @@ packages:
     resolution: {integrity: sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw==}
     engines: {node: '>=8'}
 
+  asn1js@3.0.5:
+    resolution: {integrity: sha512-FVnvrKJwpt9LP2lAMl8qZswRNm3T4q9CON+bxldk2iwk3FFpuwhx2FfinyitizWHsVYyaY+y5JzDR0rCMV5yTQ==}
+    engines: {node: '>=12.0.0'}
+
   astral-regex@2.0.0:
     resolution: {integrity: sha512-Z7tMw1ytTXt5jqMcOP+OQteU1VuNK9Y02uuJtKQ1Sv69jXQKKg5cibLwGJow8yzZP+eAc18EmLGPal0bp36rvQ==}
     engines: {node: '>=8'}
@@ -1643,6 +1687,9 @@ packages:
     resolution: {integrity: sha512-RE3mdQ7P3FRSe7eqCWoeQ/Z9QXrtniSjp1wUjt5nRC3WIpz5rSCve6o3fsZ2aCpJtrZjSZgjwXAoTO5k4tEI0w==}
     engines: {node: '>=4'}
 
+  axios@1.7.9:
+    resolution: {integrity: sha512-LhLcE7Hbiryz8oMDdDptSrWowmB4Bl6RCt6sIJKpRB4XtVf0iEgewX3au/pJqm+Py1kCASkb/FFKjxQaLtxJvw==}
+
   b4a@1.6.7:
     resolution: {integrity: sha512-OnAYlL5b7LEkALw87fUVafQw5rVR9RjwGd4KUwNQ6DrrNmaVaUCgLipfVlzrPQ4tWOR9P0IXGNOx50jYCCdSJg==}
 
@@ -3463,6 +3510,13 @@ packages:
     resolution: {integrity: sha512-+vZPU8iBSdCx1Kn5hHas80fyo0TiVyMeqLGv/1dygX2HKhAZjO9YThadbRTCoTYq0yWw+w/CysldPsEekDtjDQ==}
     engines: {node: '>=14.1.0'}
 
+  pvtsutils@1.3.6:
+    resolution: {integrity: sha512-PLgQXQ6H2FWCaeRak8vvk1GW462lMxB5s3Jm673N82zI4vqtVUPuZdffdZbPDFRoU8kAhItWFtPCWiPpp4/EDg==}
+
+  pvutils@1.1.3:
+    resolution: {integrity: sha512-pMpnA0qRdFp32b1sJl1wOJNxZLQ2cbQx+k6tjNtZ8CpvVhNqEPRgivZ2WOUev2YMajecdH7ctUPDvEe87nariQ==}
+    engines: {node: '>=6.0.0'}
+
   qs@6.13.0:
     resolution: {integrity: sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==}
     engines: {node: '>=0.6'}
@@ -3508,6 +3562,9 @@ packages:
     resolution: {integrity: sha512-h80JrZu/MHUZCyHu5ciuoI0+WxsCxzxJTILn6Fs8rxSnFPh+UVHYfeIxK1nVGugMqkfC4vJcBOYbkfkwYK0+gw==}
     engines: {node: '>= 14.18.0'}
 
+  reflect-metadata@0.2.2:
+    resolution: {integrity: sha512-urBwgfrvVP/eAyXx4hluJivBKzuEbSQs9rKWCrCkbSxNv8mxPcUZKeuoF3Uy4mJl3Lwprp6yy5/39VWigZ4K6Q==}
+
   regenerator-runtime@0.14.1:
     resolution: {integrity: sha512-dYnhHh0nJoMfnkZs6GmmhFknAGRrLznOu5nc9ML+EJxGvrx6H7teuevqVqCuPcPK//3eDrrjQhehXVx9cnkGdw==}
 
@@ -3897,6 +3954,10 @@ packages:
     engines: {node: '>=18.0.0'}
     hasBin: true
 
+  tsyringe@4.8.0:
+    resolution: {integrity: sha512-YB1FG+axdxADa3ncEtRnQCFq/M0lALGLxSZeVNbTU8NqhOVc51nnv2CISTcvc1kyv6EGPtXVr0v6lWeDxiijOA==}
+    engines: {node: '>= 6.0.0'}
+
   turndown-plugin-gfm@1.0.2:
     resolution: {integrity: sha512-vwz9tfvF7XN/jE0dGoBei3FXWuvll78ohzCZQuOb+ZjWrs3a0XhQVomJEb2Qh4VHTPNRO4GPZh0V7VRbiWwkRg==}
 
@@ -5212,6 +5273,96 @@ snapshots:
     dependencies:
       pako: 1.0.11
 
+  '@peculiar/asn1-cms@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      '@peculiar/asn1-x509-attr': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-csr@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-ecc@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-pfx@2.3.15':
+    dependencies:
+      '@peculiar/asn1-cms': 2.3.15
+      '@peculiar/asn1-pkcs8': 2.3.15
+      '@peculiar/asn1-rsa': 2.3.15
+      '@peculiar/asn1-schema': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-pkcs8@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-pkcs9@2.3.15':
+    dependencies:
+      '@peculiar/asn1-cms': 2.3.15
+      '@peculiar/asn1-pfx': 2.3.15
+      '@peculiar/asn1-pkcs8': 2.3.15
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      '@peculiar/asn1-x509-attr': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-rsa@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-schema@2.3.15':
+    dependencies:
+      asn1js: 3.0.5
+      pvtsutils: 1.3.6
+      tslib: 2.8.1
+
+  '@peculiar/asn1-x509-attr@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-x509@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      asn1js: 3.0.5
+      pvtsutils: 1.3.6
+      tslib: 2.8.1
+
+  '@peculiar/x509@1.12.3':
+    dependencies:
+      '@peculiar/asn1-cms': 2.3.15
+      '@peculiar/asn1-csr': 2.3.15
+      '@peculiar/asn1-ecc': 2.3.15
+      '@peculiar/asn1-pkcs9': 2.3.15
+      '@peculiar/asn1-rsa': 2.3.15
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      pvtsutils: 1.3.6
+      reflect-metadata: 0.2.2
+      tslib: 2.8.1
+      tsyringe: 4.8.0
+
   '@pkgjs/parseargs@0.11.0':
     optional: true
 
@@ -6783,6 +6934,16 @@ snapshots:
       mime-types: 2.1.35
       negotiator: 0.6.3
 
+  acme-client@5.4.0:
+    dependencies:
+      '@peculiar/x509': 1.12.3
+      asn1js: 3.0.5
+      axios: 1.7.9(debug@4.4.0)
+      debug: 4.4.0
+      node-forge: 1.3.1
+    transitivePeerDependencies:
+      - supports-color
+
   agent-base@6.0.2:
     dependencies:
       debug: 4.3.4
@@ -6834,6 +6995,12 @@ snapshots:
 
   array-union@2.1.0: {}
 
+  asn1js@3.0.5:
+    dependencies:
+      pvtsutils: 1.3.6
+      pvutils: 1.1.3
+      tslib: 2.8.1
+
   astral-regex@2.0.0: {}
 
   async-mutex@0.3.2:
@@ -6846,6 +7013,14 @@ snapshots:
 
   axe-core@4.10.2: {}
 
+  axios@1.7.9(debug@4.4.0):
+    dependencies:
+      follow-redirects: 1.15.9(debug@4.4.0)
+      form-data: 4.0.1
+      proxy-from-env: 1.1.0
+    transitivePeerDependencies:
+      - debug
+
   b4a@1.6.7: {}
 
   bail@2.0.2: {}
@@ -8954,6 +9129,12 @@ snapshots:
       - supports-color
       - utf-8-validate
 
+  pvtsutils@1.3.6:
+    dependencies:
+      tslib: 2.8.1
+
+  pvutils@1.1.3: {}
+
   qs@6.13.0:
     dependencies:
       side-channel: 1.1.0
@@ -9008,6 +9189,8 @@ snapshots:
 
   readdirp@4.1.1: {}
 
+  reflect-metadata@0.2.2: {}
+
   regenerator-runtime@0.14.1: {}
 
   registry-auth-token@5.0.3:
@@ -9488,6 +9671,10 @@ snapshots:
     optionalDependencies:
       fsevents: 2.3.3
 
+  tsyringe@4.8.0:
+    dependencies:
+      tslib: 1.14.1
+
   turndown-plugin-gfm@1.0.2: {}
 
   turndown@7.2.0:

readme.md

@@ -1,6 +1,6 @@
 # @push.rocks/smartproxy
 
-A proxy for handling high workloads of proxying.
+A robust and versatile proxy package designed to handle high workloads, offering features like SSL redirection, port proxying, WebSocket support, and customizable routing and authentication.
 
 ## Install
 
@@ -14,19 +14,19 @@ This will add `@push.rocks/smartproxy` to your project's dependencies.
 
 ## Usage
 
-`@push.rocks/smartproxy` is a versatile package for setting up and handling proxies with various capabilities such as SSL redirection, port proxying, and creating network proxies with complex routing rules. Below is a comprehensive guide on using its features.
+`@push.rocks/smartproxy` is a comprehensive package that provides advanced functionalities for handling proxy tasks efficiently, including SSL redirection, port proxying, WebSocket support, and dynamic routing with authentication capabilities. Here is an extensive guide on how to utilize these features effectively, ensuring robust and secure proxy operations.
 
-### Setting Up a Network Proxy
+### Initial Setup
 
-Create a network proxy to route incoming HTTPS requests to different local servers based on the hostname.
+Before exploring the advanced features of `smartproxy`, you need to set up a basic proxy server. This setup serves as the foundation for incorporating additional functionalities later on:
 
 ```typescript
 import { NetworkProxy } from '@push.rocks/smartproxy';
 
-// Instantiate the NetworkProxy with desired options
+// Create an instance of NetworkProxy with the desired configuration
 const myNetworkProxy = new NetworkProxy({ port: 443 });
 
-// Define your reverse proxy configurations
+// Define reverse proxy configurations for the domains you wish to proxy
 const proxyConfigs = [
   {
     destinationIp: '127.0.0.1',
@@ -39,70 +39,194 @@ PRIVATE_KEY_CONTENT
 CERTIFICATE_CONTENT
 -----END CERTIFICATE-----`,
   },
-  // Add more reverse proxy configurations here
+  // Additional configurations can be added here
 ];
 
-// Start the network proxy
+// Start the network proxy to enable forwarding
 await myNetworkProxy.start();
 
-// Update proxy configurations dynamically
+// Apply the configurations you defined earlier
 await myNetworkProxy.updateProxyConfigs(proxyConfigs);
 
-// Optionally, add default headers to all responses
+// Optionally, you can set default headers to be included in all responses
 await myNetworkProxy.addDefaultHeaders({
   'X-Powered-By': 'smartproxy',
 });
 ```
 
-### Port Proxying
+### Configuring SSL Redirection
 
-You can also set up a port proxy to forward traffic from one port to another, which is useful for dynamic port forwarding scenarios.
-
-```typescript
-import { PortProxy } from '@push.rocks/smartproxy';
-
-// Create a PortProxy to forward traffic from port 5000 to port 3000
-const myPortProxy = new PortProxy(5000, 3000);
-
-// Start the port proxy
-await myPortProxy.start();
-
-// To stop the port proxy, simply call
-await myPortProxy.stop();
-```
-
-### Enabling SSL Redirection
-
-Easily redirect HTTP traffic to HTTPS using the `SslRedirect` class. This is particularly useful when ensuring all traffic uses encryption.
+A critical feature of modern proxy servers is the ability to redirect HTTP traffic to secure HTTPS endpoints. The `SslRedirect` class in `smartproxy` simplifies this process by automatically redirecting requests from HTTP port 80 to HTTPS:
 
 ```typescript
 import { SslRedirect } from '@push.rocks/smartproxy';
 
-// Instantiate the SslRedirect on port 80 (HTTP)
+// Create an SslRedirect instance to listen on port 80
 const mySslRedirect = new SslRedirect(80);
 
-// Start listening and redirecting to HTTPS
+// Start the redirect to enforce HTTPS
 await mySslRedirect.start();
 
-// To stop the redirection, use
+// To stop HTTP redirection, use the following command:
 await mySslRedirect.stop();
 ```
 
-### Advanced Usage
+### Managing Port Proxying
 
-The package integrates seamlessly with TypeScript, allowing for advanced use cases, such as implementing custom routing logic, authentication mechanisms, and handling WebSocket connections through the network proxy.
+Port proxying is essential for forwarding traffic from one port to another, an important feature for services that require dynamic port changes without downtime. Smartproxy's `PortProxy` class efficiently handles these scenarios:
 
-For a more advanced setup involving WebSocket proxying and dynamic configuration reloading, refer to the network proxy example provided above. The WebSocket support demonstrates how seamless it is to work with real-time applications.
+```typescript
+import { PortProxy } from '@push.rocks/smartproxy';
 
-Remember, when dealing with certificates and private keys for HTTPS configurations, always secure your keys and store them appropriately.
+// Set up a PortProxy to forward traffic from port 5000 to 3000
+const myPortProxy = new PortProxy(5000, 3000);
 
-`@push.rocks/smartproxy` provides a solid foundation for handling high workloads and complex proxying requirements with ease, whether you're implementing SSL redirections, port forwarding, or extensive routing and WebSocket support in your network.
+// Initiate the port proxy
+await myPortProxy.start();
 
-For more information on how to use the features, refer to the in-depth documentation available in the package's repository or the npm package description.
+// To halt the port proxy, execute:
+await myPortProxy.stop();
+```
+
+For more intricate setups—such as forwarding based on specific domain rules or IP allowances—smartproxy allows detailed configurations:
+
+```typescript
+import { PortProxy } from '@push.rocks/smartproxy';
+
+// Configure complex port proxy rules
+const advancedPortProxy = new PortProxy({
+  fromPort: 6000,
+  toPort: 3000,
+  domains: [
+    {
+      domain: 'api.example.com',
+      allowedIPs: ['192.168.0.*', '127.0.0.1'],
+      targetIP: '192.168.1.100'
+    }
+    // Additional domain rules can be added as needed
+  ],
+  sniEnabled: true,  // Server Name Indication (SNI) support
+  defaultAllowedIPs: ['*'],
+});
+
+// Activate the proxy with conditional rules
+await advancedPortProxy.start();
+```
+
+### WebSocket Handling
+
+With real-time applications becoming more prevalent, effective WebSocket handling is crucial in a proxy server. Smartproxy natively incorporates WebSocket support to manage WebSocket traffic securely and efficiently:
+
+```typescript
+import { NetworkProxy } from '@push.rocks/smartproxy';
+
+// Create a NetworkProxy instance for WebSocket traffic
+const wsNetworkProxy = new NetworkProxy({ port: 443 });
+
+// Define proxy configurations targeted for WebSocket traffic
+const websocketConfig = [
+  {
+    destinationIp: '127.0.0.1',
+    destinationPort: '8080',
+    hostName: 'socket.example.com',
+    // Include SSL details if necessary
+  }
+];
+
+// Start the proxy and apply WebSocket settings
+await wsNetworkProxy.start();
+await wsNetworkProxy.updateProxyConfigs(websocketConfig);
+
+// Set heartbeat intervals to maintain WebSocket connections
+wsNetworkProxy.heartbeatInterval = setInterval(() => {
+  // Logic for connection health checks
+}, 60000); // every minute
+
+// Capture and handle server errors for resiliency
+wsNetworkProxy.httpsServer.on('error', (error) => console.log('Server Error:', error));
+```
+
+### Advanced Routing and Custom Features
+
+Smartproxy shines with its dynamic routing capabilities, allowing for custom and advanced request routing based on the request's destination. This enables extensive flexibility, such as directing API requests or facilitating intricate B2B integrations:
+
+```typescript
+import { NetworkProxy } from '@push.rocks/smartproxy';
+
+// Instantiate a proxy with dynamic routing
+const routeProxy = new NetworkProxy({ port: 8443 });
+
+routeProxy.router.setNewProxyConfigs([
+  {
+    destinationIp: '192.168.1.150',
+    destinationPort: '80',
+    hostName: 'dynamic.example.com',
+    authentication: {
+      type: 'Basic',
+      user: 'admin',
+      pass: 'password123'
+    }
+  }
+]);
+
+// Activate the routing proxy
+await routeProxy.start();
+```
+
+For those who require granular traffic control, integrating tools like `iptables` offers additional power over network management:
+
+```typescript
+import { IPTablesProxy } from '@push.rocks/smartproxy';
+
+// Set up IPTables for sophisticated network traffic management
+const iptablesProxy = new IPTablesProxy({
+  fromPort: 8081,
+  toPort: 8080,
+  deleteOnExit: true // Clean up rules when the server shuts down
+});
+
+// Enable routing through IPTables
+await iptablesProxy.start();
+```
+
+### Integrating SSL and HTTP/HTTPS Credentials
+
+Handling sensitive data like SSL keys and certificates securely is crucial in proxy configurations:
+
+```typescript
+import { loadDefaultCertificates } from '@push.rocks/smartproxy';
+
+try {
+  const { privateKey, publicKey } = loadDefaultCertificates(); // Adjust path if necessary
+  console.log('SSL certificates loaded successfully.');
+  // Use these credentials in your configurations
+} catch (error) {
+  console.error('Error loading certificates:', error);
+}
+```
+
+### Testing and Validation
+
+Smartproxy supports extensive testing to ensure your proxy configurations operate as expected. Leveraging `tap` alongside TypeScript testing frameworks supports quality assurance:
+
+```typescript
+import { expect, tap } from '@push.rocks/tapbundle';
+import { NetworkProxy } from '@push.rocks/smartproxy';
+
+tap.test('Check proxied request returns status 200', async () => {
+  // Testing logic
+});
+
+tap.start();
+```
+
+### Conclusion
+
+`@push.rocks/smartproxy` is designed for both simple and complex proxying demands, offering tools for high-performance and secure proxy management across diverse environments. Its efficient configurations are capable of supporting SSL redirection, WebSocket traffic, dynamic routing, and other advanced functionalities, making it indispensable for developers seeking robust and adaptable proxy solutions. By integrating these capabilities with ease of use, `smartproxy` stands out as an essential tool in modern software architecture.
 
 ## License and Legal Information
 
-This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository.
+This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. 
 
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 

test/test.portproxy.ts

@@ -1,6 +1,6 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import * as net from 'net';
-import { PortProxy } from '../ts/smartproxy.portproxy.js';
+import { PortProxy } from '../ts/classes.portproxy.js';
 
 let testServer: net.Server;
 let portProxy: PortProxy;
@@ -8,85 +8,79 @@ const TEST_SERVER_PORT = 4000;
 const PROXY_PORT = 4001;
 const TEST_DATA = 'Hello through port proxy!';
 
-// Helper function to create a test TCP server
-function createTestServer(port: number): Promise<net.Server> {
+// Helper: Creates a test TCP server that listens on a given port and host.
+function createTestServer(port: number, host: string = 'localhost'): Promise<net.Server> {
   return new Promise((resolve) => {
     const server = net.createServer((socket) => {
       socket.on('data', (data) => {
-        // Echo the received data back
+        // Echo the received data back with a prefix.
         socket.write(`Echo: ${data.toString()}`);
       });
-
       socket.on('error', (error) => {
-        console.error('[Test Server] Socket error:', error);
+        console.error(`[Test Server] Socket error on ${host}:${port}:`, error);
       });
     });
-
-    server.listen(port, () => {
-      console.log(`[Test Server] Listening on port ${port}`);
+    server.listen(port, host, () => {
+      console.log(`[Test Server] Listening on ${host}:${port}`);
       resolve(server);
     });
   });
 }
 
-// Helper function to create a test client connection
+// Helper: Creates a test client connection.
 function createTestClient(port: number, data: string): Promise<string> {
   return new Promise((resolve, reject) => {
     const client = new net.Socket();
     let response = '';
-
     client.connect(port, 'localhost', () => {
       console.log('[Test Client] Connected to server');
       client.write(data);
     });
-
     client.on('data', (chunk) => {
       response += chunk.toString();
       client.end();
     });
-
-    client.on('end', () => {
-      resolve(response);
-    });
-
-    client.on('error', (error) => {
-      reject(error);
-    });
+    client.on('end', () => resolve(response));
+    client.on('error', (error) => reject(error));
   });
 }
 
-// Setup test environment
+// SETUP: Create a test server and a PortProxy instance.
 tap.test('setup port proxy test environment', async () => {
   testServer = await createTestServer(TEST_SERVER_PORT);
   portProxy = new PortProxy({
     fromPort: PROXY_PORT,
     toPort: TEST_SERVER_PORT,
-    toHost: 'localhost',
-    domains: [],
+    targetIP: 'localhost',
+    domainConfigs: [],
     sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1']
+    defaultAllowedIPs: ['127.0.0.1'],
+    globalPortRanges: []
   });
 });
 
+// Test that the proxy starts and its servers are listening.
 tap.test('should start port proxy', async () => {
   await portProxy.start();
-  expect(portProxy.netServer.listening).toBeTrue();
+  expect((portProxy as any).netServers.every((server: net.Server) => server.listening)).toBeTrue();
 });
 
+// Test basic TCP forwarding.
 tap.test('should forward TCP connections and data to localhost', async () => {
   const response = await createTestClient(PROXY_PORT, TEST_DATA);
   expect(response).toEqual(`Echo: ${TEST_DATA}`);
 });
 
+// Test proxy with a custom target host.
 tap.test('should forward TCP connections to custom host', async () => {
-  // Create a new proxy instance with a custom host
   const customHostProxy = new PortProxy({
     fromPort: PROXY_PORT + 1,
     toPort: TEST_SERVER_PORT,
-    toHost: '127.0.0.1',
-    domains: [],
+    targetIP: '127.0.0.1',
+    domainConfigs: [],
     sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1']
+    defaultAllowedIPs: ['127.0.0.1'],
+    globalPortRanges: []
   });
   
   await customHostProxy.start();
@@ -95,148 +89,151 @@ tap.test('should forward TCP connections to custom host', async () => {
   await customHostProxy.stop();
 });
 
-tap.test('should forward connections based on domain-specific target IP', async () => {
-  // Create a second test server on a different port
-  const TEST_SERVER_PORT_2 = TEST_SERVER_PORT + 100;
-  const testServer2 = await createTestServer(TEST_SERVER_PORT_2);
+// Test forced domain routing via port-range configuration.
+// In this test, we want to forward to a different IP (using '127.0.0.2')
+// while keeping the same port. We create a test server on '127.0.0.2'.
+tap.test('should forward connections based on domain-specific target IP (forced domain via port-range)', async () => {
+  const forcedProxyPort = PROXY_PORT + 2;
+  // Create a test server listening on '127.0.0.2' at forcedProxyPort.
+  const testServer2 = await createTestServer(forcedProxyPort, '127.0.0.2');
 
-  // Create a proxy with domain-specific target IPs
   const domainProxy = new PortProxy({
-    fromPort: PROXY_PORT + 2,
-    toPort: TEST_SERVER_PORT,  // default port
-    toHost: 'localhost',       // default host
-    domains: [{
-      domain: 'domain1.test',
+    fromPort: forcedProxyPort,
+    toPort: TEST_SERVER_PORT, // default target port (unused for forced domain)
+    targetIP: 'localhost',
+    domainConfigs: [{
+      domains: ['forced.test'],
       allowedIPs: ['127.0.0.1'],
-      targetIP: '127.0.0.1'
-    }, {
-      domain: 'domain2.test',
-      allowedIPs: ['127.0.0.1'],
-      targetIP: 'localhost'
+      targetIPs: ['127.0.0.2'], // Use a different IP than the default.
+      portRanges: [{ from: forcedProxyPort, to: forcedProxyPort }]
     }],
-    sniEnabled: false, // We'll test without SNI first since this is a TCP proxy test
-    defaultAllowedIPs: ['127.0.0.1']
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1'],
+    globalPortRanges: [{ from: forcedProxyPort, to: forcedProxyPort }]
   });
 
   await domainProxy.start();
 
-  // Test default connection (should use default host)
-  const response1 = await createTestClient(PROXY_PORT + 2, TEST_DATA);
-  expect(response1).toEqual(`Echo: ${TEST_DATA}`);
-
-  // Create another proxy with different default host
-  const domainProxy2 = new PortProxy({
-    fromPort: PROXY_PORT + 3,
-    toPort: TEST_SERVER_PORT,
-    toHost: '127.0.0.1',
-    domains: [],
-    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1']
-  });
-
-  await domainProxy2.start();
-  const response2 = await createTestClient(PROXY_PORT + 3, TEST_DATA);
-  expect(response2).toEqual(`Echo: ${TEST_DATA}`);
+  // When connecting to forcedProxyPort, forced domain handling triggers,
+  // so the proxy will connect to '127.0.0.2' on the same port.
+  const response = await createTestClient(forcedProxyPort, TEST_DATA);
+  expect(response).toEqual(`Echo: ${TEST_DATA}`);
 
   await domainProxy.stop();
-  await domainProxy2.stop();
   await new Promise<void>((resolve) => testServer2.close(() => resolve()));
 });
 
+// Test handling of multiple concurrent connections.
 tap.test('should handle multiple concurrent connections', async () => {
   const concurrentRequests = 5;
-  const requests = Array(concurrentRequests).fill(null).map((_, i) => 
+  const requests = Array(concurrentRequests).fill(null).map((_, i) =>
     createTestClient(PROXY_PORT, `${TEST_DATA} ${i + 1}`)
   );
-  
   const responses = await Promise.all(requests);
-  
   responses.forEach((response, i) => {
     expect(response).toEqual(`Echo: ${TEST_DATA} ${i + 1}`);
   });
 });
 
+// Test connection timeout handling.
 tap.test('should handle connection timeouts', async () => {
   const client = new net.Socket();
-  
   await new Promise<void>((resolve) => {
     client.connect(PROXY_PORT, 'localhost', () => {
-      // Don't send any data, just wait for timeout
-      client.on('close', () => {
-        resolve();
-      });
+      // Do not send any data to trigger a timeout.
+      client.on('close', () => resolve());
     });
   });
 });
 
+// Test stopping the port proxy.
 tap.test('should stop port proxy', async () => {
   await portProxy.stop();
-  expect(portProxy.netServer.listening).toBeFalse();
+  expect((portProxy as any).netServers.every((server: net.Server) => !server.listening)).toBeTrue();
 });
 
-// Cleanup
+// Test chained proxies with and without source IP preservation.
 tap.test('should support optional source IP preservation in chained proxies', async () => {
-  // Test 1: Without IP preservation (default behavior)
+  // Chained proxies without IP preservation.
   const firstProxyDefault = new PortProxy({
     fromPort: PROXY_PORT + 4,
     toPort: PROXY_PORT + 5,
-    toHost: 'localhost',
-    domains: [],
+    targetIP: 'localhost',
+    domainConfigs: [],
     sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'],
+    globalPortRanges: []
   });
-
   const secondProxyDefault = new PortProxy({
     fromPort: PROXY_PORT + 5,
     toPort: TEST_SERVER_PORT,
-    toHost: 'localhost',
-    domains: [],
+    targetIP: 'localhost',
+    domainConfigs: [],
     sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'],
+    globalPortRanges: []
   });
-
   await secondProxyDefault.start();
   await firstProxyDefault.start();
-
-  // This should work because we explicitly allow both IPv4 and IPv6 formats
   const response1 = await createTestClient(PROXY_PORT + 4, TEST_DATA);
   expect(response1).toEqual(`Echo: ${TEST_DATA}`);
-
   await firstProxyDefault.stop();
   await secondProxyDefault.stop();
 
-  // Test 2: With IP preservation
+  // Chained proxies with IP preservation.
   const firstProxyPreserved = new PortProxy({
     fromPort: PROXY_PORT + 6,
     toPort: PROXY_PORT + 7,
-    toHost: 'localhost',
-    domains: [],
+    targetIP: 'localhost',
+    domainConfigs: [],
     sniEnabled: false,
     defaultAllowedIPs: ['127.0.0.1'],
-    preserveSourceIP: true
+    preserveSourceIP: true,
+    globalPortRanges: []
   });
-
   const secondProxyPreserved = new PortProxy({
     fromPort: PROXY_PORT + 7,
     toPort: TEST_SERVER_PORT,
-    toHost: 'localhost',
-    domains: [],
+    targetIP: 'localhost',
+    domainConfigs: [],
     sniEnabled: false,
     defaultAllowedIPs: ['127.0.0.1'],
-    preserveSourceIP: true
+    preserveSourceIP: true,
+    globalPortRanges: []
   });
-
   await secondProxyPreserved.start();
   await firstProxyPreserved.start();
-
-  // This should work with just IPv4 because source IP is preserved
   const response2 = await createTestClient(PROXY_PORT + 6, TEST_DATA);
   expect(response2).toEqual(`Echo: ${TEST_DATA}`);
-
   await firstProxyPreserved.stop();
   await secondProxyPreserved.stop();
 });
 
+// Test round-robin behavior for multiple target IPs in a domain config.
+tap.test('should use round robin for multiple target IPs in domain config', async () => {
+  const domainConfig = {
+    domains: ['rr.test'],
+    allowedIPs: ['127.0.0.1'],
+    targetIPs: ['hostA', 'hostB']
+  } as any;
+  
+  const proxyInstance = new PortProxy({
+    fromPort: 0,
+    toPort: 0,
+    targetIP: 'localhost',
+    domainConfigs: [domainConfig],
+    sniEnabled: false,
+    defaultAllowedIPs: [],
+    globalPortRanges: []
+  });
+  
+  const firstTarget = (proxyInstance as any).getTargetIP(domainConfig);
+  const secondTarget = (proxyInstance as any).getTargetIP(domainConfig);
+  expect(firstTarget).toEqual('hostA');
+  expect(secondTarget).toEqual('hostB');
+});
+
+// CLEANUP: Tear down the test server.
 tap.test('cleanup port proxy test environment', async () => {
   await new Promise<void>((resolve) => testServer.close(() => resolve()));
 });
@@ -245,9 +242,9 @@ process.on('exit', () => {
   if (testServer) {
     testServer.close();
   }
-  if (portProxy && portProxy.netServer) {
+  if (portProxy && (portProxy as any).netServers) {
     portProxy.stop();
   }
 });
 
-export default tap.start();
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.10.4',
-  description: 'a proxy for handling high workloads of proxying'
+  version: '3.22.0',
+  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }

ts/classes.iptablesproxy.ts

@@ -0,0 +1,183 @@
+import { exec, execSync } from 'child_process';
+import { promisify } from 'util';
+
+const execAsync = promisify(exec);
+
+/**
+ * Settings for IPTablesProxy.
+ */
+export interface IIpTableProxySettings {
+  fromPort: number;
+  toPort: number;
+  toHost?: string; // Target host for proxying; defaults to 'localhost'
+  preserveSourceIP?: boolean; // If true, the original source IP is preserved.
+  deleteOnExit?: boolean;   // If true, clean up marked iptables rules before process exit.
+}
+
+/**
+ * IPTablesProxy sets up iptables NAT rules to forward TCP traffic.
+ * It only supports basic port forwarding and uses iptables comments to tag rules.
+ */
+export class IPTablesProxy {
+  public settings: IIpTableProxySettings;
+  private rulesInstalled: boolean = false;
+  private ruleTag: string;
+
+  constructor(settings: IIpTableProxySettings) {
+    this.settings = {
+      ...settings,
+      toHost: settings.toHost || 'localhost',
+    };
+    // Generate a unique identifier for the rules added by this instance.
+    this.ruleTag = `IPTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`;
+
+    // If deleteOnExit is true, register cleanup handlers.
+    if (this.settings.deleteOnExit) {
+      const cleanup = () => {
+        try {
+          IPTablesProxy.cleanSlateSync();
+        } catch (err) {
+          console.error('Error cleaning iptables rules on exit:', err);
+        }
+      };
+      process.on('exit', cleanup);
+      process.on('SIGINT', () => {
+        cleanup();
+        process.exit();
+      });
+      process.on('SIGTERM', () => {
+        cleanup();
+        process.exit();
+      });
+    }
+  }
+
+  /**
+   * Sets up iptables rules for port forwarding.
+   * The rules are tagged with a unique comment so that they can be identified later.
+   */
+  public async start(): Promise<void> {
+    const dnatCmd = `iptables -t nat -A PREROUTING -p tcp --dport ${this.settings.fromPort} ` +
+      `-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
+      `-m comment --comment "${this.ruleTag}:DNAT"`;
+    try {
+      await execAsync(dnatCmd);
+      console.log(`Added iptables rule: ${dnatCmd}`);
+      this.rulesInstalled = true;
+    } catch (err) {
+      console.error(`Failed to add iptables DNAT rule: ${err}`);
+      throw err;
+    }
+
+    // If preserveSourceIP is false, add a MASQUERADE rule.
+    if (!this.settings.preserveSourceIP) {
+      const masqueradeCmd = `iptables -t nat -A POSTROUTING -p tcp -d ${this.settings.toHost} ` +
+        `--dport ${this.settings.toPort} -j MASQUERADE ` +
+        `-m comment --comment "${this.ruleTag}:MASQ"`;
+      try {
+        await execAsync(masqueradeCmd);
+        console.log(`Added iptables rule: ${masqueradeCmd}`);
+      } catch (err) {
+        console.error(`Failed to add iptables MASQUERADE rule: ${err}`);
+        // Roll back the DNAT rule if MASQUERADE fails.
+        try {
+          const rollbackCmd = `iptables -t nat -D PREROUTING -p tcp --dport ${this.settings.fromPort} ` +
+            `-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
+            `-m comment --comment "${this.ruleTag}:DNAT"`;
+          await execAsync(rollbackCmd);
+          this.rulesInstalled = false;
+        } catch (rollbackErr) {
+          console.error(`Rollback failed: ${rollbackErr}`);
+        }
+        throw err;
+      }
+    }
+  }
+
+  /**
+   * Removes the iptables rules that were added in start(), by matching the unique comment.
+   */
+  public async stop(): Promise<void> {
+    if (!this.rulesInstalled) return;
+
+    const dnatDelCmd = `iptables -t nat -D PREROUTING -p tcp --dport ${this.settings.fromPort} ` +
+      `-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
+      `-m comment --comment "${this.ruleTag}:DNAT"`;
+    try {
+      await execAsync(dnatDelCmd);
+      console.log(`Removed iptables rule: ${dnatDelCmd}`);
+    } catch (err) {
+      console.error(`Failed to remove iptables DNAT rule: ${err}`);
+    }
+
+    if (!this.settings.preserveSourceIP) {
+      const masqueradeDelCmd = `iptables -t nat -D POSTROUTING -p tcp -d ${this.settings.toHost} ` +
+        `--dport ${this.settings.toPort} -j MASQUERADE ` +
+        `-m comment --comment "${this.ruleTag}:MASQ"`;
+      try {
+        await execAsync(masqueradeDelCmd);
+        console.log(`Removed iptables rule: ${masqueradeDelCmd}`);
+      } catch (err) {
+        console.error(`Failed to remove iptables MASQUERADE rule: ${err}`);
+      }
+    }
+
+    this.rulesInstalled = false;
+  }
+
+  /**
+   * Asynchronously cleans up any iptables rules in the nat table that were added by this module.
+   * It looks for rules with comments containing "IPTablesProxy:".
+   */
+  public static async cleanSlate(): Promise<void> {
+    try {
+      const { stdout } = await execAsync('iptables-save -t nat');
+      const lines = stdout.split('\n');
+      const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
+      for (const line of proxyLines) {
+        const trimmedLine = line.trim();
+        if (trimmedLine.startsWith('-A')) {
+          // Replace the "-A" with "-D" to form a deletion command.
+          const deleteRule = trimmedLine.replace('-A', '-D');
+          const cmd = `iptables -t nat ${deleteRule}`;
+          try {
+            await execAsync(cmd);
+            console.log(`Cleaned up iptables rule: ${cmd}`);
+          } catch (err) {
+            console.error(`Failed to remove iptables rule: ${cmd}`, err);
+          }
+        }
+      }
+    } catch (err) {
+      console.error(`Failed to run iptables-save: ${err}`);
+    }
+  }
+
+  /**
+   * Synchronously cleans up any iptables rules in the nat table that were added by this module.
+   * It looks for rules with comments containing "IPTablesProxy:".
+   * This method is intended for use in process exit handlers.
+   */
+  public static cleanSlateSync(): void {
+    try {
+      const stdout = execSync('iptables-save -t nat').toString();
+      const lines = stdout.split('\n');
+      const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
+      for (const line of proxyLines) {
+        const trimmedLine = line.trim();
+        if (trimmedLine.startsWith('-A')) {
+          const deleteRule = trimmedLine.replace('-A', '-D');
+          const cmd = `iptables -t nat ${deleteRule}`;
+          try {
+            execSync(cmd);
+            console.log(`Cleaned up iptables rule: ${cmd}`);
+          } catch (err) {
+            console.error(`Failed to remove iptables rule: ${cmd}`, err);
+          }
+        }
+      }
+    } catch (err) {
+      console.error(`Failed to run iptables-save: ${err}`);
+    }
+  }
+}

ts/classes.networkproxy.ts

@@ -1,5 +1,5 @@
 import * as plugins from './plugins.js';
-import { ProxyRouter } from './smartproxy.classes.router.js';
+import { ProxyRouter } from './classes.router.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';

ts/classes.port80handler.ts

@@ -0,0 +1,214 @@
+import * as http from 'http';
+import * as acme from 'acme-client';
+
+interface IDomainCertificate {
+  certObtained: boolean;
+  obtainingInProgress: boolean;
+  certificate?: string;
+  privateKey?: string;
+  challengeToken?: string;
+  challengeKeyAuthorization?: string;
+}
+
+export class Port80Handler {
+  private domainCertificates: Map<string, IDomainCertificate>;
+  private server: http.Server;
+  private acmeClient: acme.Client | null = null;
+  private accountKey: string | null = null;
+
+  constructor() {
+    this.domainCertificates = new Map<string, IDomainCertificate>();
+
+    // Create and start an HTTP server on port 80.
+    this.server = http.createServer((req, res) => this.handleRequest(req, res));
+    this.server.listen(80, () => {
+      console.log('Port80Handler is listening on port 80');
+    });
+  }
+
+  /**
+   * Adds a domain to be managed.
+   * @param domain The domain to add.
+   */
+  public addDomain(domain: string): void {
+    if (!this.domainCertificates.has(domain)) {
+      this.domainCertificates.set(domain, { certObtained: false, obtainingInProgress: false });
+      console.log(`Domain added: ${domain}`);
+    }
+  }
+
+  /**
+   * Removes a domain from management.
+   * @param domain The domain to remove.
+   */
+  public removeDomain(domain: string): void {
+    if (this.domainCertificates.delete(domain)) {
+      console.log(`Domain removed: ${domain}`);
+    }
+  }
+
+  /**
+   * Lazy initialization of the ACME client.
+   * Uses Let’s Encrypt’s production directory (for testing you might switch to staging).
+   */
+  private async getAcmeClient(): Promise<acme.Client> {
+    if (this.acmeClient) {
+      return this.acmeClient;
+    }
+    // Generate a new account key and convert Buffer to string.
+    this.accountKey = (await acme.forge.createPrivateKey()).toString();
+    this.acmeClient = new acme.Client({
+      directoryUrl: acme.directory.letsencrypt.production, // Use production for a real certificate
+      // For testing, you could use:
+      // directoryUrl: acme.directory.letsencrypt.staging,
+      accountKey: this.accountKey,
+    });
+    // Create a new account. Make sure to update the contact email.
+    await this.acmeClient.createAccount({
+      termsOfServiceAgreed: true,
+      contact: ['mailto:admin@example.com'],
+    });
+    return this.acmeClient;
+  }
+
+  /**
+   * Handles incoming HTTP requests on port 80.
+   * If the request is for an ACME challenge, it responds with the key authorization.
+   * If the domain has a certificate, it redirects to HTTPS; otherwise, it initiates certificate issuance.
+   */
+  private handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
+    const hostHeader = req.headers.host;
+    if (!hostHeader) {
+      res.statusCode = 400;
+      res.end('Bad Request: Host header is missing');
+      return;
+    }
+    // Extract domain (ignoring any port in the Host header)
+    const domain = hostHeader.split(':')[0];
+
+    // If the request is for an ACME HTTP-01 challenge, handle it.
+    if (req.url && req.url.startsWith('/.well-known/acme-challenge/')) {
+      this.handleAcmeChallenge(req, res, domain);
+      return;
+    }
+
+    if (!this.domainCertificates.has(domain)) {
+      res.statusCode = 404;
+      res.end('Domain not configured');
+      return;
+    }
+
+    const domainInfo = this.domainCertificates.get(domain)!;
+
+    // If certificate exists, redirect to HTTPS on port 443.
+    if (domainInfo.certObtained) {
+      const redirectUrl = `https://${domain}:443${req.url}`;
+      res.statusCode = 301;
+      res.setHeader('Location', redirectUrl);
+      res.end(`Redirecting to ${redirectUrl}`);
+    } else {
+      // Trigger certificate issuance if not already running.
+      if (!domainInfo.obtainingInProgress) {
+        domainInfo.obtainingInProgress = true;
+        this.obtainCertificate(domain).catch(err => {
+          console.error(`Error obtaining certificate for ${domain}:`, err);
+        });
+      }
+      res.statusCode = 503;
+      res.end('Certificate issuance in progress, please try again later.');
+    }
+  }
+
+  /**
+   * Serves the ACME HTTP-01 challenge response.
+   */
+  private handleAcmeChallenge(req: http.IncomingMessage, res: http.ServerResponse, domain: string): void {
+    const domainInfo = this.domainCertificates.get(domain);
+    if (!domainInfo) {
+      res.statusCode = 404;
+      res.end('Domain not configured');
+      return;
+    }
+    // The token is the last part of the URL.
+    const urlParts = req.url?.split('/');
+    const token = urlParts ? urlParts[urlParts.length - 1] : '';
+    if (domainInfo.challengeToken === token && domainInfo.challengeKeyAuthorization) {
+      res.statusCode = 200;
+      res.setHeader('Content-Type', 'text/plain');
+      res.end(domainInfo.challengeKeyAuthorization);
+      console.log(`Served ACME challenge response for ${domain}`);
+    } else {
+      res.statusCode = 404;
+      res.end('Challenge token not found');
+    }
+  }
+
+  /**
+   * Uses acme-client to perform a full ACME HTTP-01 challenge to obtain a certificate.
+   * On success, it stores the certificate and key in memory and clears challenge data.
+   */
+  private async obtainCertificate(domain: string): Promise<void> {
+    try {
+      const client = await this.getAcmeClient();
+
+      // Create a new order for the domain.
+      const order = await client.createOrder({
+        identifiers: [{ type: 'dns', value: domain }],
+      });
+
+      // Get the authorizations for the order.
+      const authorizations = await client.getAuthorizations(order);
+      for (const authz of authorizations) {
+        const challenge = authz.challenges.find(ch => ch.type === 'http-01');
+        if (!challenge) {
+          throw new Error('HTTP-01 challenge not found');
+        }
+        // Get the key authorization for the challenge.
+        const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
+        const domainInfo = this.domainCertificates.get(domain)!;
+        domainInfo.challengeToken = challenge.token;
+        domainInfo.challengeKeyAuthorization = keyAuthorization;
+
+        // Notify the ACME server that the challenge is ready.
+        // The acme-client examples show that verifyChallenge takes three arguments:
+        // (authorization, challenge, keyAuthorization). However, the official TypeScript
+        // types appear to be out-of-sync. As a workaround, we cast client to 'any'.
+        await (client as any).verifyChallenge(authz, challenge, keyAuthorization);
+
+        await client.completeChallenge(challenge);
+        // Wait until the challenge is validated.
+        await client.waitForValidStatus(challenge);
+        console.log(`HTTP-01 challenge completed for ${domain}`);
+      }
+
+      // Generate a CSR and a new private key for the domain.
+      // Convert the resulting Buffers to strings.
+      const [csrBuffer, privateKeyBuffer] = await acme.forge.createCsr({
+        commonName: domain,
+      });
+      const csr = csrBuffer.toString();
+      const privateKey = privateKeyBuffer.toString();
+
+      // Finalize the order and obtain the certificate.
+      await client.finalizeOrder(order, csr);
+      const certificate = await client.getCertificate(order);
+
+      const domainInfo = this.domainCertificates.get(domain)!;
+      domainInfo.certificate = certificate;
+      domainInfo.privateKey = privateKey;
+      domainInfo.certObtained = true;
+      domainInfo.obtainingInProgress = false;
+      delete domainInfo.challengeToken;
+      delete domainInfo.challengeKeyAuthorization;
+
+      console.log(`Certificate obtained for ${domain}`);
+      // In a production system, persist the certificate and key and reload your TLS server.
+    } catch (error) {
+      console.error(`Error during certificate issuance for ${domain}:`, error);
+      const domainInfo = this.domainCertificates.get(domain);
+      if (domainInfo) {
+        domainInfo.obtainingInProgress = false;
+      }
+    }
+  }
+}

ts/classes.portproxy.ts

@@ -0,0 +1,884 @@
+import * as plugins from './plugins.js';
+
+/** Domain configuration with per-domain allowed port ranges */
+export interface IDomainConfig {
+  domains: string[];         // Glob patterns for domain(s)
+  allowedIPs: string[];      // Glob patterns for allowed IPs
+  blockedIPs?: string[];     // Glob patterns for blocked IPs
+  targetIPs?: string[];      // If multiple targetIPs are given, use round robin.
+  portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
+}
+
+/** Port proxy settings including global allowed port ranges */
+export interface IPortProxySettings extends plugins.tls.TlsOptions {
+  fromPort: number;
+  toPort: number;
+  targetIP?: string; // Global target host to proxy to, defaults to 'localhost'
+  domainConfigs: IDomainConfig[];
+  sniEnabled?: boolean;
+  defaultAllowedIPs?: string[];
+  defaultBlockedIPs?: string[];
+  preserveSourceIP?: boolean;
+  maxConnectionLifetime?: number; // (ms) force cleanup of long-lived connections
+  globalPortRanges: Array<{ from: number; to: number }>; // Global allowed port ranges
+  forwardAllGlobalRanges?: boolean; // When true, forwards all connections on global port ranges to the global targetIP
+  gracefulShutdownTimeout?: number; // (ms) maximum time to wait for connections to close during shutdown
+  initialDataTimeout?: number; // (ms) timeout for receiving initial data, useful for chained proxies
+}
+
+/**
+ * Extracts the SNI (Server Name Indication) from a TLS ClientHello packet.
+ * @param buffer - Buffer containing the TLS ClientHello.
+ * @returns The server name if found, otherwise undefined.
+ */
+function extractSNI(buffer: Buffer): string | undefined {
+  let offset = 0;
+  if (buffer.length < 5) return undefined;
+
+  const recordType = buffer.readUInt8(0);
+  if (recordType !== 22) return undefined; // 22 = handshake
+
+  const recordLength = buffer.readUInt16BE(3);
+  if (buffer.length < 5 + recordLength) return undefined;
+
+  offset = 5;
+  const handshakeType = buffer.readUInt8(offset);
+  if (handshakeType !== 1) return undefined; // 1 = ClientHello
+
+  offset += 4; // Skip handshake header (type + length)
+  offset += 2 + 32; // Skip client version and random
+
+  const sessionIDLength = buffer.readUInt8(offset);
+  offset += 1 + sessionIDLength; // Skip session ID
+
+  const cipherSuitesLength = buffer.readUInt16BE(offset);
+  offset += 2 + cipherSuitesLength; // Skip cipher suites
+
+  const compressionMethodsLength = buffer.readUInt8(offset);
+  offset += 1 + compressionMethodsLength; // Skip compression methods
+
+  if (offset + 2 > buffer.length) return undefined;
+  const extensionsLength = buffer.readUInt16BE(offset);
+  offset += 2;
+  const extensionsEnd = offset + extensionsLength;
+
+  while (offset + 4 <= extensionsEnd) {
+    const extensionType = buffer.readUInt16BE(offset);
+    const extensionLength = buffer.readUInt16BE(offset + 2);
+    offset += 4;
+    if (extensionType === 0x0000) { // SNI extension
+      if (offset + 2 > buffer.length) return undefined;
+      const sniListLength = buffer.readUInt16BE(offset);
+      offset += 2;
+      const sniListEnd = offset + sniListLength;
+      while (offset + 3 < sniListEnd) {
+        const nameType = buffer.readUInt8(offset++);
+        const nameLen = buffer.readUInt16BE(offset);
+        offset += 2;
+        if (nameType === 0) { // host_name
+          if (offset + nameLen > buffer.length) return undefined;
+          return buffer.toString('utf8', offset, offset + nameLen);
+        }
+        offset += nameLen;
+      }
+      break;
+    } else {
+      offset += extensionLength;
+    }
+  }
+  return undefined;
+}
+
+interface IConnectionRecord {
+  incoming: plugins.net.Socket;
+  outgoing: plugins.net.Socket | null;
+  incomingStartTime: number;
+  outgoingStartTime?: number;
+  outgoingClosedTime?: number;
+  lockedDomain?: string; // Field to lock this connection to the initial SNI
+  connectionClosed: boolean;
+  cleanupTimer?: NodeJS.Timeout; // Timer to force cleanup after max lifetime/inactivity
+  cleanupInitiated: boolean; // Flag to track if cleanup has been initiated but not completed
+  id: string; // Unique identifier for the connection
+  lastActivity: number; // Timestamp of last activity on either socket
+}
+
+// Helper: Check if a port falls within any of the given port ranges.
+const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
+  return ranges.some(range => port >= range.from && port <= range.to);
+};
+
+// Helper: Check if a given IP matches any of the glob patterns.
+const isAllowed = (ip: string, patterns: string[]): boolean => {
+  const normalizeIP = (ip: string): string[] => {
+    if (ip.startsWith('::ffff:')) {
+      const ipv4 = ip.slice(7);
+      return [ip, ipv4];
+    }
+    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+      return [ip, `::ffff:${ip}`];
+    }
+    return [ip];
+  };
+  const normalizedIPVariants = normalizeIP(ip);
+  const expandedPatterns = patterns.flatMap(normalizeIP);
+  return normalizedIPVariants.some(ipVariant =>
+    expandedPatterns.some(pattern => plugins.minimatch(ipVariant, pattern))
+  );
+};
+
+// Helper: Check if an IP is allowed considering allowed and blocked glob patterns.
+const isGlobIPAllowed = (ip: string, allowed: string[], blocked: string[] = []): boolean => {
+  if (blocked.length > 0 && isAllowed(ip, blocked)) return false;
+  return isAllowed(ip, allowed);
+};
+
+// Helper: Generate a unique ID for a connection
+const generateConnectionId = (): string => {
+  return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
+};
+
+export class PortProxy {
+  private netServers: plugins.net.Server[] = [];
+  settings: IPortProxySettings;
+  // Unified record tracking each connection pair.
+  private connectionRecords: Map<string, IConnectionRecord> = new Map();
+  private connectionLogger: NodeJS.Timeout | null = null;
+  private isShuttingDown: boolean = false;
+
+  // Map to track round robin indices for each domain config.
+  private domainTargetIndices: Map<IDomainConfig, number> = new Map();
+
+  private terminationStats: {
+    incoming: Record<string, number>;
+    outgoing: Record<string, number>;
+  } = {
+    incoming: {},
+    outgoing: {},
+  };
+
+  constructor(settingsArg: IPortProxySettings) {
+    this.settings = {
+      ...settingsArg,
+      targetIP: settingsArg.targetIP || 'localhost',
+      maxConnectionLifetime: settingsArg.maxConnectionLifetime || 600000,
+      gracefulShutdownTimeout: settingsArg.gracefulShutdownTimeout || 30000,
+    };
+    
+    // Debug logging for constructor settings
+    console.log(`PortProxy initialized with targetIP: ${this.settings.targetIP}, toPort: ${this.settings.toPort}, fromPort: ${this.settings.fromPort}, sniEnabled: ${this.settings.sniEnabled}`);
+  }
+
+  private incrementTerminationStat(side: 'incoming' | 'outgoing', reason: string): void {
+    this.terminationStats[side][reason] = (this.terminationStats[side][reason] || 0) + 1;
+  }
+
+  /**
+   * Initiates the cleanup process for a connection.
+   * Sets the flag to prevent duplicate cleanup attempts and schedules actual cleanup.
+   */
+  private initiateCleanup(record: IConnectionRecord, reason: string = 'normal'): void {
+    if (record.cleanupInitiated) return;
+    
+    record.cleanupInitiated = true;
+    const remoteIP = record.incoming.remoteAddress || 'unknown';
+    console.log(`Initiating cleanup for connection ${record.id} from ${remoteIP} (reason: ${reason})`);
+    
+    // Execute cleanup immediately to prevent lingering connections
+    this.executeCleanup(record);
+  }
+
+  /**
+   * Executes the actual cleanup of a connection.
+   * Destroys sockets, clears timers, and removes the record.
+   */
+  private executeCleanup(record: IConnectionRecord): void {
+    if (record.connectionClosed) return;
+    
+    record.connectionClosed = true;
+    const remoteIP = record.incoming.remoteAddress || 'unknown';
+    
+    if (record.cleanupTimer) {
+      clearTimeout(record.cleanupTimer);
+      record.cleanupTimer = undefined;
+    }
+    
+    // End the sockets first to allow for graceful closure
+    try {
+      if (!record.incoming.destroyed) {
+        record.incoming.end();
+        // Set a safety timeout to force destroy if end doesn't complete
+        setTimeout(() => {
+          if (!record.incoming.destroyed) {
+            console.log(`Forcing destruction of incoming socket for ${remoteIP}`);
+            record.incoming.destroy();
+          }
+        }, 1000);
+      }
+    } catch (err) {
+      console.error(`Error ending incoming socket for ${remoteIP}:`, err);
+      if (!record.incoming.destroyed) {
+        record.incoming.destroy();
+      }
+    }
+
+    try {
+      if (record.outgoing && !record.outgoing.destroyed) {
+        record.outgoing.end();
+        // Set a safety timeout to force destroy if end doesn't complete
+        setTimeout(() => {
+          if (record.outgoing && !record.outgoing.destroyed) {
+            console.log(`Forcing destruction of outgoing socket for ${remoteIP}`);
+            record.outgoing.destroy();
+          }
+        }, 1000);
+      }
+    } catch (err) {
+      console.error(`Error ending outgoing socket for ${remoteIP}:`, err);
+      if (record.outgoing && !record.outgoing.destroyed) {
+        record.outgoing.destroy();
+      }
+    }
+
+    // Remove the record after a delay to ensure all events have propagated
+    setTimeout(() => {
+      this.connectionRecords.delete(record.id);
+      console.log(`Connection ${record.id} from ${remoteIP} fully cleaned up. Active connections: ${this.connectionRecords.size}`);
+    }, 2000);
+  }
+
+  private getTargetIP(domainConfig: IDomainConfig): string {
+    if (domainConfig.targetIPs && domainConfig.targetIPs.length > 0) {
+      const currentIndex = this.domainTargetIndices.get(domainConfig) || 0;
+      const ip = domainConfig.targetIPs[currentIndex % domainConfig.targetIPs.length];
+      this.domainTargetIndices.set(domainConfig, currentIndex + 1);
+      return ip;
+    }
+    return this.settings.targetIP!;
+  }
+
+  /**
+   * Updates the last activity timestamp for a connection record
+   */
+  private updateActivity(record: IConnectionRecord): void {
+    record.lastActivity = Date.now();
+    
+    // Reset the inactivity timer if one is set
+    if (this.settings.maxConnectionLifetime && record.cleanupTimer) {
+      clearTimeout(record.cleanupTimer);
+      
+      // Set a new cleanup timer
+      record.cleanupTimer = setTimeout(() => {
+        const now = Date.now();
+        const inactivityTime = now - record.lastActivity;
+        const remoteIP = record.incoming.remoteAddress || 'unknown';
+        console.log(`Connection ${record.id} from ${remoteIP} exceeded max lifetime or inactivity period (${inactivityTime}ms), forcing cleanup.`);
+        this.initiateCleanup(record, 'timeout');
+      }, this.settings.maxConnectionLifetime);
+    }
+  }
+
+  public async start() {
+    // Define a unified connection handler for all listening ports.
+    const connectionHandler = (socket: plugins.net.Socket) => {
+      if (this.isShuttingDown) {
+        socket.end();
+        socket.destroy();
+        return;
+      }
+
+      const remoteIP = socket.remoteAddress || '';
+      const localPort = socket.localPort; // The port on which this connection was accepted.
+      
+      const connectionId = generateConnectionId();
+      const connectionRecord: IConnectionRecord = {
+        id: connectionId,
+        incoming: socket,
+        outgoing: null,
+        incomingStartTime: Date.now(),
+        lastActivity: Date.now(),
+        connectionClosed: false,
+        cleanupInitiated: false
+      };
+
+      this.connectionRecords.set(connectionId, connectionRecord);
+      console.log(`New connection ${connectionId} from ${remoteIP} on port ${localPort}. Active connections: ${this.connectionRecords.size}`);
+
+      let initialDataReceived = false;
+      let incomingTerminationReason: string | null = null;
+      let outgoingTerminationReason: string | null = null;
+
+      // Local cleanup function that delegates to the class method.
+      const initiateCleanupOnce = (reason: string = 'normal') => {
+        this.initiateCleanup(connectionRecord, reason);
+      };
+
+      // Helper to reject an incoming connection.
+      const rejectIncomingConnection = (reason: string, logMessage: string) => {
+        console.log(logMessage);
+        socket.end();
+        if (incomingTerminationReason === null) {
+          incomingTerminationReason = reason;
+          this.incrementTerminationStat('incoming', reason);
+        }
+        initiateCleanupOnce(reason);
+      };
+
+      // Set an initial timeout only if SNI is enabled or this is not a chained proxy
+      // For chained proxies, we need to allow more time for data to flow through
+      const initialTimeoutMs = this.settings.initialDataTimeout || 
+                             (this.settings.sniEnabled ? 15000 : 0); // Increased timeout for SNI, disabled for non-SNI by default
+      
+      let initialTimeout: NodeJS.Timeout | null = null;
+      
+      if (initialTimeoutMs > 0) {
+        console.log(`Setting initial data timeout of ${initialTimeoutMs}ms for connection from ${remoteIP}`);
+        initialTimeout = setTimeout(() => {
+          if (!initialDataReceived) {
+            console.log(`Initial connection timeout for ${remoteIP} (no data received after ${initialTimeoutMs}ms)`);
+            if (incomingTerminationReason === null) {
+              incomingTerminationReason = 'initial_timeout';
+              this.incrementTerminationStat('incoming', 'initial_timeout');
+            }
+            initiateCleanupOnce('initial_timeout');
+          }
+        }, initialTimeoutMs);
+      } else {
+        console.log(`No initial timeout set for connection from ${remoteIP} (likely chained proxy)`);
+        // Mark as received immediately if we're not waiting for data
+        initialDataReceived = true;
+      }
+
+      socket.on('error', (err: Error) => {
+        const errorMessage = initialDataReceived
+          ? `(Immediate) Incoming socket error from ${remoteIP}: ${err.message}`
+          : `(Premature) Incoming socket error from ${remoteIP} before data received: ${err.message}`;
+        console.log(errorMessage);
+        
+        // Clear the initial timeout if it exists
+        if (initialTimeout) {
+          clearTimeout(initialTimeout);
+          initialTimeout = null;
+        }
+        
+        // For premature errors, we need to handle them explicitly 
+        // since the standard error handlers might not be set up yet
+        if (!initialDataReceived) {
+          if (incomingTerminationReason === null) {
+            incomingTerminationReason = 'premature_error';
+            this.incrementTerminationStat('incoming', 'premature_error');
+          }
+          initiateCleanupOnce('premature_error');
+        }
+      });
+
+      const handleError = (side: 'incoming' | 'outgoing') => (err: Error) => {
+        const code = (err as any).code;
+        let reason = 'error';
+        if (code === 'ECONNRESET') {
+          reason = 'econnreset';
+          console.log(`ECONNRESET on ${side} side from ${remoteIP}: ${err.message}`);
+        } else if (code === 'ECONNREFUSED') {
+          reason = 'econnrefused';
+          console.log(`ECONNREFUSED on ${side} side from ${remoteIP}: ${err.message}`);
+        } else {
+          console.log(`Error on ${side} side from ${remoteIP}: ${err.message}`);
+        }
+        
+        if (side === 'incoming' && incomingTerminationReason === null) {
+          incomingTerminationReason = reason;
+          this.incrementTerminationStat('incoming', reason);
+        } else if (side === 'outgoing' && outgoingTerminationReason === null) {
+          outgoingTerminationReason = reason;
+          this.incrementTerminationStat('outgoing', reason);
+        }
+        
+        initiateCleanupOnce(reason);
+      };
+
+      const handleClose = (side: 'incoming' | 'outgoing') => () => {
+        console.log(`Connection closed on ${side} side from ${remoteIP}`);
+        
+        if (side === 'incoming' && incomingTerminationReason === null) {
+          incomingTerminationReason = 'normal';
+          this.incrementTerminationStat('incoming', 'normal');
+        } else if (side === 'outgoing' && outgoingTerminationReason === null) {
+          outgoingTerminationReason = 'normal';
+          this.incrementTerminationStat('outgoing', 'normal');
+          // Record the time when outgoing socket closed.
+          connectionRecord.outgoingClosedTime = Date.now();
+          
+          // If incoming is still active but outgoing closed, set a shorter timeout
+          if (!connectionRecord.incoming.destroyed) {
+            console.log(`Outgoing socket closed but incoming still active for ${remoteIP}. Setting cleanup timeout.`);
+            setTimeout(() => {
+              if (!connectionRecord.connectionClosed && !connectionRecord.incoming.destroyed) {
+                console.log(`Incoming socket still active ${Date.now() - connectionRecord.outgoingClosedTime!}ms after outgoing closed for ${remoteIP}. Cleaning up.`);
+                initiateCleanupOnce('outgoing_closed_timeout');
+              }
+            }, 10000); // 10 second timeout instead of waiting for the next parity check
+          }
+        }
+        
+        // If both sides are closed/destroyed, clean up
+        if ((side === 'incoming' && connectionRecord.outgoing?.destroyed) || 
+            (side === 'outgoing' && connectionRecord.incoming.destroyed)) {
+          initiateCleanupOnce('both_closed');
+        }
+      };
+
+      /**
+       * Sets up the connection to the target host.
+       * @param serverName - The SNI hostname (unused when forcedDomain is provided).
+       * @param initialChunk - Optional initial data chunk.
+       * @param forcedDomain - If provided, overrides SNI/domain lookup (used for port-based routing).
+       * @param overridePort - If provided, use this port for the outgoing connection.
+       */
+      const setupConnection = (serverName: string, initialChunk?: Buffer, forcedDomain?: IDomainConfig, overridePort?: number) => {
+        // Clear the initial timeout since we've received data
+        if (initialTimeout) {
+          clearTimeout(initialTimeout);
+        }
+        
+        // If a forcedDomain is provided (port-based routing), use it; otherwise, use SNI-based lookup.
+        const domainConfig = forcedDomain
+          ? forcedDomain
+          : (serverName ? this.settings.domainConfigs.find(config =>
+              config.domains.some(d => plugins.minimatch(serverName, d))
+            ) : undefined);
+
+        // Effective IP check: merge allowed IPs with default allowed, and remove blocked IPs.
+        // In a chained proxy, relax IP validation unless explicitly configured
+        // If this is the first proxy in the chain, normal validation applies
+        if (domainConfig) {
+          // Has specific domain config - check IP restrictions only if allowedIPs is non-empty
+          if (domainConfig.allowedIPs.length > 0) {
+            const effectiveAllowedIPs: string[] = [
+              ...domainConfig.allowedIPs,
+              ...(this.settings.defaultAllowedIPs || [])
+            ];
+            const effectiveBlockedIPs: string[] = [
+              ...(domainConfig.blockedIPs || []),
+              ...(this.settings.defaultBlockedIPs || [])
+            ];
+            if (!isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
+              return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domains.join(', ')}`);
+            }
+          } else {
+            console.log(`Domain config for ${domainConfig.domains.join(', ')} has empty allowedIPs, skipping IP validation`);
+          }
+        } else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
+          // No domain config but has default IP restrictions
+          if (!isGlobIPAllowed(remoteIP, this.settings.defaultAllowedIPs, this.settings.defaultBlockedIPs || [])) {
+            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed by default allowed list`);
+          }
+        } else {
+          // No domain config and no default allowed IPs
+          // In a chained proxy setup, we'll allow this connection 
+          console.log(`No specific IP restrictions found for ${remoteIP}. Allowing connection in potential chained proxy setup.`);
+        }
+
+        const targetHost = domainConfig ? this.getTargetIP(domainConfig) : this.settings.targetIP!;
+        const connectionOptions: plugins.net.NetConnectOpts = {
+          host: targetHost,
+          port: overridePort !== undefined ? overridePort : this.settings.toPort,
+        };
+        if (this.settings.preserveSourceIP) {
+          connectionOptions.localAddress = remoteIP.replace('::ffff:', '');
+        }
+
+        // Add explicit connection timeout and error handling
+        let connectionTimeout: NodeJS.Timeout | null = null;
+        let connectionSucceeded = false;
+        
+        // Set connection timeout - longer for chained proxies
+        connectionTimeout = setTimeout(() => {
+          if (!connectionSucceeded) {
+            console.log(`Connection timeout connecting to ${targetHost}:${connectionOptions.port} for ${remoteIP}`);
+            if (outgoingTerminationReason === null) {
+              outgoingTerminationReason = 'connection_timeout';
+              this.incrementTerminationStat('outgoing', 'connection_timeout');
+            }
+            initiateCleanupOnce('connection_timeout');
+          }
+        }, 10000); // Increased from 5s to 10s to accommodate chained proxies
+
+        console.log(`Attempting to connect to ${targetHost}:${connectionOptions.port} for client ${remoteIP}...`);
+        
+        // Create the target socket
+        const targetSocket = plugins.net.connect(connectionOptions);
+        connectionRecord.outgoing = targetSocket;
+        
+        // Handle successful connection
+        targetSocket.once('connect', () => {
+          connectionSucceeded = true;
+          if (connectionTimeout) {
+            clearTimeout(connectionTimeout);
+            connectionTimeout = null;
+          }
+          
+          connectionRecord.outgoingStartTime = Date.now();
+          console.log(
+            `Connection established: ${remoteIP} -> ${targetHost}:${connectionOptions.port}` +
+            `${serverName ? ` (SNI: ${serverName})` : forcedDomain ? ` (Port-based for domain: ${forcedDomain.domains.join(', ')})` : ''}`
+          );
+
+          // Setup data flow after confirmed connection
+          setupDataFlow(targetSocket, initialChunk);
+        });
+
+        // Handle connection errors early
+        targetSocket.once('error', (err) => {
+          if (!connectionSucceeded) {
+            // This is an initial connection error
+            console.log(`Failed to connect to ${targetHost}:${connectionOptions.port} for ${remoteIP}: ${err.message}`);
+            if (connectionTimeout) {
+              clearTimeout(connectionTimeout);
+              connectionTimeout = null;
+            }
+            if (outgoingTerminationReason === null) {
+              outgoingTerminationReason = 'connection_failed';
+              this.incrementTerminationStat('outgoing', 'connection_failed');
+            }
+            initiateCleanupOnce('connection_failed');
+          }
+          // Other errors will be handled by the main error handler
+        });
+      };
+
+      /**
+       * Sets up the data flow between sockets after successful connection
+       */
+      const setupDataFlow = (targetSocket: plugins.net.Socket, initialChunk?: Buffer) => {
+        if (initialChunk) {
+          socket.unshift(initialChunk);
+        }
+        
+        // Set appropriate timeouts for both sockets
+        socket.setTimeout(120000);
+        targetSocket.setTimeout(120000);
+        
+        // Set up the pipe in both directions
+        socket.pipe(targetSocket);
+        targetSocket.pipe(socket);
+
+        // Attach error and close handlers
+        socket.on('error', handleError('incoming'));
+        targetSocket.on('error', handleError('outgoing'));
+        socket.on('close', handleClose('incoming'));
+        targetSocket.on('close', handleClose('outgoing'));
+        
+        // Handle timeout events
+        socket.on('timeout', () => {
+          console.log(`Timeout on incoming side from ${remoteIP}`);
+          if (incomingTerminationReason === null) {
+            incomingTerminationReason = 'timeout';
+            this.incrementTerminationStat('incoming', 'timeout');
+          }
+          initiateCleanupOnce('timeout');
+        });
+        
+        targetSocket.on('timeout', () => {
+          console.log(`Timeout on outgoing side from ${remoteIP}`);
+          if (outgoingTerminationReason === null) {
+            outgoingTerminationReason = 'timeout';
+            this.incrementTerminationStat('outgoing', 'timeout');
+          }
+          initiateCleanupOnce('timeout');
+        });
+        
+        socket.on('end', handleClose('incoming'));
+        targetSocket.on('end', handleClose('outgoing'));
+
+        // Track activity for both sockets to reset inactivity timers
+        socket.on('data', (data) => {
+          this.updateActivity(connectionRecord);
+        });
+        
+        targetSocket.on('data', (data) => {
+          this.updateActivity(connectionRecord);
+        });
+
+        // Initialize a cleanup timer for max connection lifetime
+        if (this.settings.maxConnectionLifetime) {
+          connectionRecord.cleanupTimer = setTimeout(() => {
+            console.log(`Connection from ${remoteIP} exceeded max lifetime (${this.settings.maxConnectionLifetime}ms), forcing cleanup.`);
+            initiateCleanupOnce('max_lifetime');
+          }, this.settings.maxConnectionLifetime);
+        }
+      };
+
+      // --- PORT RANGE-BASED HANDLING ---
+      // Only apply port-based rules if the incoming port is within one of the global port ranges.
+      if (this.settings.globalPortRanges && isPortInRanges(localPort, this.settings.globalPortRanges)) {
+        if (this.settings.forwardAllGlobalRanges) {
+          if (this.settings.defaultAllowedIPs && !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+            console.log(`Connection from ${remoteIP} rejected: IP ${remoteIP} not allowed in global default allowed list.`);
+            socket.end();
+            initiateCleanupOnce('rejected');
+            return;
+          }
+          console.log(`Port-based connection from ${remoteIP} on port ${localPort} forwarded to global target IP ${this.settings.targetIP}.`);
+          setupConnection('', undefined, {
+            domains: ['global'],
+            allowedIPs: this.settings.defaultAllowedIPs || [],
+            blockedIPs: this.settings.defaultBlockedIPs || [],
+            targetIPs: [this.settings.targetIP!],
+            portRanges: []
+          }, localPort);
+          return;
+        } else {
+          // Attempt to find a matching forced domain config based on the local port.
+          const forcedDomain = this.settings.domainConfigs.find(
+            domain => domain.portRanges && domain.portRanges.length > 0 && isPortInRanges(localPort, domain.portRanges)
+          );
+          if (forcedDomain) {
+            const effectiveAllowedIPs: string[] = [
+              ...forcedDomain.allowedIPs,
+              ...(this.settings.defaultAllowedIPs || [])
+            ];
+            const effectiveBlockedIPs: string[] = [
+              ...(forcedDomain.blockedIPs || []),
+              ...(this.settings.defaultBlockedIPs || [])
+            ];
+            if (!isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
+              console.log(`Connection from ${remoteIP} rejected: IP not allowed for domain ${forcedDomain.domains.join(', ')} on port ${localPort}.`);
+              socket.end();
+              initiateCleanupOnce('rejected');
+              return;
+            }
+            console.log(`Port-based connection from ${remoteIP} on port ${localPort} matched domain ${forcedDomain.domains.join(', ')}.`);
+            setupConnection('', undefined, forcedDomain, localPort);
+            return;
+          }
+          // Fall through to SNI/default handling if no forced domain config is found.
+        }
+      }
+
+      // --- FALLBACK: SNI-BASED HANDLING (or default when SNI is disabled) ---
+      if (this.settings.sniEnabled) {
+        // If using SNI, we need to wait for data to establish the connection
+        if (initialDataReceived) {
+          console.log(`Initial data already marked as received for ${remoteIP}, but SNI is enabled. This is unexpected.`);
+        }
+        
+        initialDataReceived = false;
+        
+        console.log(`Waiting for TLS ClientHello from ${remoteIP} to extract SNI...`);
+        socket.once('data', (chunk: Buffer) => {
+          if (initialTimeout) {
+            clearTimeout(initialTimeout);
+            initialTimeout = null;
+          }
+          
+          initialDataReceived = true;
+          console.log(`Received initial data from ${remoteIP}, length: ${chunk.length} bytes`);
+          
+          let serverName = '';
+          try {
+            // Only try to extract SNI if the chunk looks like a TLS ClientHello
+            if (chunk.length > 5 && chunk.readUInt8(0) === 22) {
+              serverName = extractSNI(chunk) || '';
+              console.log(`Extracted SNI: "${serverName}" from connection ${remoteIP}`);
+            } else {
+              console.log(`Data from ${remoteIP} doesn't appear to be a TLS ClientHello. First byte: ${chunk.length > 0 ? chunk.readUInt8(0) : 'N/A'}`);
+            }
+          } catch (err) {
+            console.log(`Error extracting SNI from chunk: ${err}. Proceeding without SNI.`);
+          }
+          
+          // Lock the connection to the negotiated SNI.
+          connectionRecord.lockedDomain = serverName;
+          
+          // Delay adding the renegotiation listener until the next tick,
+          // so the initial ClientHello is not reprocessed.
+          setImmediate(() => {
+            socket.on('data', (renegChunk: Buffer) => {
+              if (renegChunk.length > 0 && renegChunk.readUInt8(0) === 22) {
+                try {
+                  // Try to extract SNI from potential renegotiation
+                  const newSNI = extractSNI(renegChunk);
+                  if (newSNI && newSNI !== connectionRecord.lockedDomain) {
+                    console.log(`Rehandshake detected with different SNI: ${newSNI} vs locked ${connectionRecord.lockedDomain}. Terminating connection.`);
+                    initiateCleanupOnce('sni_mismatch');
+                  } else if (newSNI) {
+                    console.log(`Rehandshake detected with same SNI: ${newSNI}. Allowing.`);
+                  }
+                } catch (err) {
+                  console.log(`Error processing potential renegotiation: ${err}. Allowing connection to continue.`);
+                }
+              }
+            });
+          });
+          
+          setupConnection(serverName, chunk);
+        });
+      } else {
+        // Non-SNI mode: we can proceed immediately without waiting for data
+        if (initialTimeout) {
+          clearTimeout(initialTimeout);
+          initialTimeout = null;
+        }
+        
+        initialDataReceived = true;
+        console.log(`SNI disabled for connection from ${remoteIP}, proceeding directly to connection setup`);
+        
+        // Check IP restrictions only if explicitly configured
+        if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
+          if (!isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+          }
+        }
+        
+        // Proceed with connection setup
+        setupConnection('');
+      }
+    };
+
+    // --- SETUP LISTENERS ---
+    // Determine which ports to listen on.
+    const listeningPorts = new Set<number>();
+    if (this.settings.globalPortRanges && this.settings.globalPortRanges.length > 0) {
+      // Listen on every port defined by the global ranges.
+      for (const range of this.settings.globalPortRanges) {
+        for (let port = range.from; port <= range.to; port++) {
+          listeningPorts.add(port);
+        }
+      }
+      // Also ensure the default fromPort is listened to if it isn't already in the ranges.
+      listeningPorts.add(this.settings.fromPort);
+    } else {
+      listeningPorts.add(this.settings.fromPort);
+    }
+
+    // Create a server for each port.
+    for (const port of listeningPorts) {
+      const server = plugins.net
+        .createServer(connectionHandler)
+        .on('error', (err: Error) => {
+          console.log(`Server Error on port ${port}: ${err.message}`);
+        });
+      server.listen(port, () => {
+        console.log(`PortProxy -> OK: Now listening on port ${port}${this.settings.sniEnabled ? ' (SNI passthrough enabled)' : ''}`);
+      });
+      this.netServers.push(server);
+    }
+
+    // Log active connection count, run parity checks, and check for connection issues every 10 seconds.
+    this.connectionLogger = setInterval(() => {
+      if (this.isShuttingDown) return;
+      
+      const now = Date.now();
+      let maxIncoming = 0;
+      let maxOutgoing = 0;
+      
+      // Create a copy of the keys to avoid modification during iteration
+      const connectionIds = [...this.connectionRecords.keys()];
+      
+      for (const id of connectionIds) {
+        const record = this.connectionRecords.get(id);
+        if (!record) continue;
+        
+        maxIncoming = Math.max(maxIncoming, now - record.incomingStartTime);
+        if (record.outgoingStartTime) {
+          maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
+        }
+        
+        // Parity check: if outgoing socket closed and incoming remains active for >30 seconds, trigger cleanup
+        if (record.outgoingClosedTime && 
+            !record.incoming.destroyed && 
+            !record.connectionClosed && 
+            !record.cleanupInitiated && 
+            (now - record.outgoingClosedTime > 30000)) {
+          const remoteIP = record.incoming.remoteAddress || 'unknown';
+          console.log(`Parity check triggered: Incoming socket for ${remoteIP} has been active >30s after outgoing closed.`);
+          this.initiateCleanup(record, 'parity_check');
+        }
+        
+        // Inactivity check: if no activity for a long time but sockets still open
+        const inactivityTime = now - record.lastActivity;
+        if (inactivityTime > 180000 && // 3 minutes
+            !record.connectionClosed && 
+            !record.cleanupInitiated) {
+          const remoteIP = record.incoming.remoteAddress || 'unknown';
+          console.log(`Inactivity check triggered: No activity on connection from ${remoteIP} for ${plugins.prettyMs(inactivityTime)}.`);
+          this.initiateCleanup(record, 'inactivity');
+        }
+      }
+      
+      console.log(
+        `(Interval Log) Active connections: ${this.connectionRecords.size}. ` +
+        `Longest running incoming: ${plugins.prettyMs(maxIncoming)}, outgoing: ${plugins.prettyMs(maxOutgoing)}. ` +
+        `Termination stats (incoming): ${JSON.stringify(this.terminationStats.incoming)}, ` +
+        `(outgoing): ${JSON.stringify(this.terminationStats.outgoing)}`
+      );
+    }, 10000);
+  }
+
+  public async stop() {
+    console.log("PortProxy shutting down...");
+    this.isShuttingDown = true;
+    
+    // Stop accepting new connections
+    const closeServerPromises: Promise<void>[] = this.netServers.map(
+      server =>
+        new Promise<void>((resolve) => {
+          server.close(() => resolve());
+        })
+    );
+    
+    // Stop the connection logger
+    if (this.connectionLogger) {
+      clearInterval(this.connectionLogger);
+      this.connectionLogger = null;
+    }
+
+    // Wait for servers to close
+    await Promise.all(closeServerPromises);
+    console.log("All servers closed. Cleaning up active connections...");
+    
+    // Gracefully close active connections
+    const connectionIds = [...this.connectionRecords.keys()];
+    console.log(`Cleaning up ${connectionIds.length} active connections...`);
+    
+    for (const id of connectionIds) {
+      const record = this.connectionRecords.get(id);
+      if (record && !record.connectionClosed && !record.cleanupInitiated) {
+        this.initiateCleanup(record, 'shutdown');
+      }
+    }
+    
+    // Wait for graceful shutdown or timeout
+    const shutdownTimeout = this.settings.gracefulShutdownTimeout || 30000;
+    await new Promise<void>((resolve) => {
+      const checkInterval = setInterval(() => {
+        if (this.connectionRecords.size === 0) {
+          clearInterval(checkInterval);
+          resolve();
+        }
+      }, 1000);
+      
+      // Force resolve after timeout
+      setTimeout(() => {
+        clearInterval(checkInterval);
+        if (this.connectionRecords.size > 0) {
+          console.log(`Forcing shutdown with ${this.connectionRecords.size} connections still active`);
+          
+          // Force destroy any remaining connections
+          for (const record of this.connectionRecords.values()) {
+            if (!record.incoming.destroyed) {
+              record.incoming.destroy();
+            }
+            if (record.outgoing && !record.outgoing.destroyed) {
+              record.outgoing.destroy();
+            }
+          }
+          this.connectionRecords.clear();
+        }
+        resolve();
+      }, shutdownTimeout);
+    });
+    
+    console.log("PortProxy shutdown complete.");
+  }
+}

ts/index.ts

@@ -1,3 +1,5 @@
-export * from './smartproxy.classes.networkproxy.js';
-export * from './smartproxy.portproxy.js';
-export * from './smartproxy.classes.sslredirect.js';
+export * from './classes.iptablesproxy.js';
+export * from './classes.networkproxy.js';
+export * from './classes.portproxy.js';
+export * from './classes.port80handler.js';
+export * from './classes.sslredirect.js';

ts/smartproxy.portproxy.ts

@@ -1,352 +0,0 @@
-import * as plugins from './plugins.js';
-
-export interface IDomainConfig {
-  domain: string;         // Glob pattern for domain
-  allowedIPs: string[];   // Glob patterns for allowed IPs
-  targetIP?: string;      // Optional target IP for this domain
-}
-
-export interface IProxySettings extends plugins.tls.TlsOptions {
-  fromPort: number;
-  toPort: number;
-  toHost?: string; // Target host to proxy to, defaults to 'localhost'
-  domains: IDomainConfig[];
-  sniEnabled?: boolean;
-  defaultAllowedIPs?: string[];
-  preserveSourceIP?: boolean;
-}
-
-/**
- * Extracts the SNI (Server Name Indication) from a TLS ClientHello packet.
- * @param buffer - Buffer containing the TLS ClientHello.
- * @returns The server name if found, otherwise undefined.
- */
-function extractSNI(buffer: Buffer): string | undefined {
-  let offset = 0;
-  if (buffer.length < 5) return undefined;
-
-  const recordType = buffer.readUInt8(0);
-  if (recordType !== 22) return undefined; // 22 = handshake
-
-  const recordLength = buffer.readUInt16BE(3);
-  if (buffer.length < 5 + recordLength) return undefined;
-
-  offset = 5;
-  const handshakeType = buffer.readUInt8(offset);
-  if (handshakeType !== 1) return undefined; // 1 = ClientHello
-
-  offset += 4; // Skip handshake header (type + length)
-  offset += 2 + 32; // Skip client version and random
-
-  const sessionIDLength = buffer.readUInt8(offset);
-  offset += 1 + sessionIDLength; // Skip session ID
-
-  const cipherSuitesLength = buffer.readUInt16BE(offset);
-  offset += 2 + cipherSuitesLength; // Skip cipher suites
-
-  const compressionMethodsLength = buffer.readUInt8(offset);
-  offset += 1 + compressionMethodsLength; // Skip compression methods
-
-  if (offset + 2 > buffer.length) return undefined;
-  const extensionsLength = buffer.readUInt16BE(offset);
-  offset += 2;
-  const extensionsEnd = offset + extensionsLength;
-
-  while (offset + 4 <= extensionsEnd) {
-    const extensionType = buffer.readUInt16BE(offset);
-    const extensionLength = buffer.readUInt16BE(offset + 2);
-    offset += 4;
-    if (extensionType === 0x0000) { // SNI extension
-      if (offset + 2 > buffer.length) return undefined;
-      const sniListLength = buffer.readUInt16BE(offset);
-      offset += 2;
-      const sniListEnd = offset + sniListLength;
-      while (offset + 3 < sniListEnd) {
-        const nameType = buffer.readUInt8(offset++);
-        const nameLen = buffer.readUInt16BE(offset);
-        offset += 2;
-        if (nameType === 0) { // host_name
-          if (offset + nameLen > buffer.length) return undefined;
-          return buffer.toString('utf8', offset, offset + nameLen);
-        }
-        offset += nameLen;
-      }
-      break;
-    } else {
-      offset += extensionLength;
-    }
-  }
-  return undefined;
-}
-
-interface IConnectionRecord {
-  incoming: plugins.net.Socket;
-  outgoing: plugins.net.Socket | null;
-  incomingStartTime: number;
-  outgoingStartTime?: number;
-  connectionClosed: boolean;
-}
-
-export class PortProxy {
-  netServer: plugins.net.Server;
-  settings: IProxySettings;
-  // Unified record tracking each connection pair.
-  private connectionRecords: Set<IConnectionRecord> = new Set();
-  private connectionLogger: NodeJS.Timeout | null = null;
-
-  private terminationStats: {
-    incoming: Record<string, number>;
-    outgoing: Record<string, number>;
-  } = {
-    incoming: {},
-    outgoing: {},
-  };
-
-  constructor(settings: IProxySettings) {
-    this.settings = {
-      ...settings,
-      toHost: settings.toHost || 'localhost',
-    };
-  }
-
-  private incrementTerminationStat(side: 'incoming' | 'outgoing', reason: string): void {
-    this.terminationStats[side][reason] = (this.terminationStats[side][reason] || 0) + 1;
-  }
-
-  public async start() {
-    // Helper to forcefully destroy sockets.
-    const cleanUpSockets = (socketA: plugins.net.Socket, socketB?: plugins.net.Socket) => {
-      if (!socketA.destroyed) socketA.destroy();
-      if (socketB && !socketB.destroyed) socketB.destroy();
-    };
-
-    // Normalize an IP to include both IPv4 and IPv6 representations.
-    const normalizeIP = (ip: string): string[] => {
-      if (ip.startsWith('::ffff:')) {
-        const ipv4 = ip.slice(7);
-        return [ip, ipv4];
-      }
-      if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
-        return [ip, `::ffff:${ip}`];
-      }
-      return [ip];
-    };
-
-    // Check if a given IP matches any of the glob patterns.
-    const isAllowed = (ip: string, patterns: string[]): boolean => {
-      const normalizedIPVariants = normalizeIP(ip);
-      const expandedPatterns = patterns.flatMap(normalizeIP);
-      return normalizedIPVariants.some(ipVariant =>
-        expandedPatterns.some(pattern => plugins.minimatch(ipVariant, pattern))
-      );
-    };
-
-    // Find a matching domain config based on the SNI.
-    const findMatchingDomain = (serverName: string): IDomainConfig | undefined =>
-      this.settings.domains.find(config => plugins.minimatch(serverName, config.domain));
-
-    this.netServer = plugins.net.createServer((socket: plugins.net.Socket) => {
-      const remoteIP = socket.remoteAddress || '';
-      const connectionRecord: IConnectionRecord = {
-        incoming: socket,
-        outgoing: null,
-        incomingStartTime: Date.now(),
-        connectionClosed: false,
-      };
-      this.connectionRecords.add(connectionRecord);
-      console.log(`New connection from ${remoteIP}. Active connections: ${this.connectionRecords.size}`);
-
-      let initialDataReceived = false;
-      let incomingTerminationReason: string | null = null;
-      let outgoingTerminationReason: string | null = null;
-
-      // Ensure cleanup happens only once for the entire connection record.
-      const cleanupOnce = () => {
-        if (!connectionRecord.connectionClosed) {
-          connectionRecord.connectionClosed = true;
-          cleanUpSockets(connectionRecord.incoming, connectionRecord.outgoing || undefined);
-          this.connectionRecords.delete(connectionRecord);
-          console.log(`Connection from ${remoteIP} terminated. Active connections: ${this.connectionRecords.size}`);
-        }
-      };
-
-      // Helper to reject an incoming connection.
-      const rejectIncomingConnection = (reason: string, logMessage: string) => {
-        console.log(logMessage);
-        socket.end();
-        if (incomingTerminationReason === null) {
-          incomingTerminationReason = reason;
-          this.incrementTerminationStat('incoming', reason);
-        }
-        cleanupOnce();
-      };
-
-      socket.on('error', (err: Error) => {
-        const errorMessage = initialDataReceived
-          ? `(Immediate) Incoming socket error from ${remoteIP}: ${err.message}`
-          : `(Premature) Incoming socket error from ${remoteIP} before data received: ${err.message}`;
-        console.log(errorMessage);
-      });
-
-      const handleError = (side: 'incoming' | 'outgoing') => (err: Error) => {
-        const code = (err as any).code;
-        let reason = 'error';
-        if (code === 'ECONNRESET') {
-          reason = 'econnreset';
-          console.log(`ECONNRESET on ${side} side from ${remoteIP}: ${err.message}`);
-        } else {
-          console.log(`Error on ${side} side from ${remoteIP}: ${err.message}`);
-        }
-        if (side === 'incoming' && incomingTerminationReason === null) {
-          incomingTerminationReason = reason;
-          this.incrementTerminationStat('incoming', reason);
-        } else if (side === 'outgoing' && outgoingTerminationReason === null) {
-          outgoingTerminationReason = reason;
-          this.incrementTerminationStat('outgoing', reason);
-        }
-        cleanupOnce();
-      };
-
-      const handleClose = (side: 'incoming' | 'outgoing') => () => {
-        console.log(`Connection closed on ${side} side from ${remoteIP}`);
-        if (side === 'incoming' && incomingTerminationReason === null) {
-          incomingTerminationReason = 'normal';
-          this.incrementTerminationStat('incoming', 'normal');
-        } else if (side === 'outgoing' && outgoingTerminationReason === null) {
-          outgoingTerminationReason = 'normal';
-          this.incrementTerminationStat('outgoing', 'normal');
-        }
-        cleanupOnce();
-      };
-
-      const setupConnection = (serverName: string, initialChunk?: Buffer) => {
-        const defaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
-
-        if (!defaultAllowed && serverName) {
-          const domainConfig = findMatchingDomain(serverName);
-          if (!domainConfig) {
-            return rejectIncomingConnection('rejected', `Connection rejected: No matching domain config for ${serverName} from ${remoteIP}`);
-          }
-          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-          }
-        } else if (!defaultAllowed && !serverName) {
-          return rejectIncomingConnection('rejected', `Connection rejected: No SNI and IP ${remoteIP} not in default allowed list`);
-        } else if (defaultAllowed && !serverName) {
-          console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
-        }
-
-        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
-        const targetHost = domainConfig?.targetIP || this.settings.toHost!;
-        const connectionOptions: plugins.net.NetConnectOpts = {
-          host: targetHost,
-          port: this.settings.toPort,
-        };
-        if (this.settings.preserveSourceIP) {
-          connectionOptions.localAddress = remoteIP.replace('::ffff:', '');
-        }
-
-        const targetSocket = plugins.net.connect(connectionOptions);
-        connectionRecord.outgoing = targetSocket;
-        connectionRecord.outgoingStartTime = Date.now();
-
-        console.log(
-          `Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}` +
-          `${serverName ? ` (SNI: ${serverName})` : ''}`
-        );
-
-        if (initialChunk) {
-          socket.unshift(initialChunk);
-        }
-        socket.setTimeout(120000);
-        socket.pipe(targetSocket);
-        targetSocket.pipe(socket);
-
-        socket.on('error', handleError('incoming'));
-        targetSocket.on('error', handleError('outgoing'));
-        socket.on('close', handleClose('incoming'));
-        targetSocket.on('close', handleClose('outgoing'));
-        socket.on('timeout', () => {
-          console.log(`Timeout on incoming side from ${remoteIP}`);
-          if (incomingTerminationReason === null) {
-            incomingTerminationReason = 'timeout';
-            this.incrementTerminationStat('incoming', 'timeout');
-          }
-          cleanupOnce();
-        });
-        targetSocket.on('timeout', () => {
-          console.log(`Timeout on outgoing side from ${remoteIP}`);
-          if (outgoingTerminationReason === null) {
-            outgoingTerminationReason = 'timeout';
-            this.incrementTerminationStat('outgoing', 'timeout');
-          }
-          cleanupOnce();
-        });
-        socket.on('end', handleClose('incoming'));
-        targetSocket.on('end', handleClose('outgoing'));
-      };
-
-      if (this.settings.sniEnabled) {
-        socket.setTimeout(5000, () => {
-          console.log(`Initial data timeout for ${remoteIP}`);
-          socket.end();
-          cleanupOnce();
-        });
-
-        socket.once('data', (chunk: Buffer) => {
-          socket.setTimeout(0);
-          initialDataReceived = true;
-          const serverName = extractSNI(chunk) || '';
-          console.log(`Received connection from ${remoteIP} with SNI: ${serverName}`);
-          setupConnection(serverName, chunk);
-        });
-      } else {
-        initialDataReceived = true;
-        if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-          return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
-        }
-        setupConnection('');
-      }
-    })
-      .on('error', (err: Error) => {
-        console.log(`Server Error: ${err.message}`);
-      })
-      .listen(this.settings.fromPort, () => {
-        console.log(
-          `PortProxy -> OK: Now listening on port ${this.settings.fromPort}` +
-          `${this.settings.sniEnabled ? ' (SNI passthrough enabled)' : ''}`
-        );
-      });
-
-    // Every 10 seconds log active connection count and longest running durations.
-    this.connectionLogger = setInterval(() => {
-      const now = Date.now();
-      let maxIncoming = 0;
-      let maxOutgoing = 0;
-      for (const record of this.connectionRecords) {
-        maxIncoming = Math.max(maxIncoming, now - record.incomingStartTime);
-        if (record.outgoingStartTime) {
-          maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
-        }
-      }
-      console.log(
-        `(Interval Log) Active connections: ${this.connectionRecords.size}. ` +
-        `Longest running incoming: ${plugins.prettyMs(maxIncoming)}, outgoing: ${plugins.prettyMs(maxOutgoing)}. ` +
-        `Termination stats (incoming): ${JSON.stringify(this.terminationStats.incoming)}, ` +
-        `(outgoing): ${JSON.stringify(this.terminationStats.outgoing)}`
-      );
-    }, 10000);
-  }
-
-  public async stop() {
-    const done = plugins.smartpromise.defer();
-    this.netServer.close(() => {
-      done.resolve();
-    });
-    if (this.connectionLogger) {
-      clearInterval(this.connectionLogger);
-      this.connectionLogger = null;
-    }
-    await done.promise;
-  }
-}