3.20.1

changelog.md

@@ -1,5 +1,51 @@
 # Changelog
 
+## 2025-03-01 - 3.20.1 - fix(PortProxy)
+Improve IP allowance check for forced domains
+
+- Enhanced IP allowance check logic by incorporating blocked IPs and default allowed IPs for forced domains within port proxy configurations.
+
+## 2025-03-01 - 3.20.0 - feat(PortProxy)
+Enhance PortProxy with advanced connection cleanup and logging
+
+- Introduced `cleanupConnection` method for improved connection management.
+- Added logging for connection cleanup including special conditions.
+- Implemented parity check to clean up connections when outgoing side closes but incoming remains active.
+- Improved logging during interval checks for active connections and their durations.
+
+## 2025-03-01 - 3.19.0 - feat(PortProxy)
+Enhance PortProxy with default blocked IPs
+
+- Introduced defaultBlockedIPs in IPortProxySettings to handle globally blocked IPs.
+- Added logic for merging domain-specific and default allowed and blocked IPs for effective IP filtering.
+- Refactored helper functions for IP and port range checks to improve modularity in PortProxy.
+
+## 2025-02-27 - 3.18.2 - fix(portproxy)
+Fixed typographical errors in comments within PortProxy class.
+
+- Corrected typographical errors in comments within the PortProxy class.
+
+## 2025-02-27 - 3.18.1 - fix(PortProxy)
+Refactor and enhance PortProxy test cases and handling
+
+- Refactored test cases in test/test.portproxy.ts for clarity and added coverage.
+- Improved TCP server helper functions for better flexibility.
+- Fixed issues with domain handling in PortProxy configuration.
+- Introduced round-robin logic for multi-IP domains in PortProxy.
+- Ensured proper cleanup and stopping of test servers in the test suite.
+
+## 2025-02-27 - 3.18.0 - feat(PortProxy)
+Add SNI-based renegotiation handling in PortProxy
+
+- Introduced a new field 'lockedDomain' in IConnectionRecord to store initial SNI.
+- Enhanced connection management by enforcing termination if rehandshake is detected with different SNI.
+
+## 2025-02-27 - 3.17.1 - fix(PortProxy)
+Fix handling of SNI re-negotiation in PortProxy
+
+- Removed connection locking to the initially negotiated SNI
+- Improved handling of SNI during renegotiation in PortProxy
+
 ## 2025-02-27 - 3.17.0 - feat(smartproxy)
 Enhance description clarity and improve SNI handling with domain locking.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.17.0",
+  "version": "3.20.1",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
   "main": "dist_ts/index.js",

test/test.portproxy.ts

@@ -8,31 +8,30 @@ const TEST_SERVER_PORT = 4000;
 const PROXY_PORT = 4001;
 const TEST_DATA = 'Hello through port proxy!';
 
-// Helper function to create a test TCP server
-function createTestServer(port: number): Promise<net.Server> {
+// Helper: Creates a test TCP server that listens on a given port and host.
+function createTestServer(port: number, host: string = 'localhost'): Promise<net.Server> {
   return new Promise((resolve) => {
     const server = net.createServer((socket) => {
       socket.on('data', (data) => {
-        // Echo the received data back
+        // Echo the received data back with a prefix.
         socket.write(`Echo: ${data.toString()}`);
       });
       socket.on('error', (error) => {
-        console.error('[Test Server] Socket error:', error);
+        console.error(`[Test Server] Socket error on ${host}:${port}:`, error);
       });
     });
-    server.listen(port, () => {
-      console.log(`[Test Server] Listening on port ${port}`);
+    server.listen(port, host, () => {
+      console.log(`[Test Server] Listening on ${host}:${port}`);
       resolve(server);
     });
   });
 }
 
-// Helper function to create a test client connection
+// Helper: Creates a test client connection.
 function createTestClient(port: number, data: string): Promise<string> {
   return new Promise((resolve, reject) => {
     const client = new net.Socket();
     let response = '';
-
     client.connect(port, 'localhost', () => {
       console.log('[Test Client] Connected to server');
       client.write(data);
@@ -41,47 +40,44 @@ function createTestClient(port: number, data: string): Promise<string> {
       response += chunk.toString();
       client.end();
     });
-    client.on('end', () => {
-      resolve(response);
-    });
-    client.on('error', (error) => {
-      reject(error);
-    });
+    client.on('end', () => resolve(response));
+    client.on('error', (error) => reject(error));
   });
 }
 
-// Setup test environment
+// SETUP: Create a test server and a PortProxy instance.
 tap.test('setup port proxy test environment', async () => {
   testServer = await createTestServer(TEST_SERVER_PORT);
   portProxy = new PortProxy({
     fromPort: PROXY_PORT,
     toPort: TEST_SERVER_PORT,
     targetIP: 'localhost',
-    domains: [],
+    domainConfigs: [],
     sniEnabled: false,
     defaultAllowedIPs: ['127.0.0.1'],
     globalPortRanges: []
   });
 });
 
+// Test that the proxy starts and its servers are listening.
 tap.test('should start port proxy', async () => {
   await portProxy.start();
-  // Since netServers is private, we cast to any to verify that all created servers are listening.
   expect((portProxy as any).netServers.every((server: net.Server) => server.listening)).toBeTrue();
 });
 
+// Test basic TCP forwarding.
 tap.test('should forward TCP connections and data to localhost', async () => {
   const response = await createTestClient(PROXY_PORT, TEST_DATA);
   expect(response).toEqual(`Echo: ${TEST_DATA}`);
 });
 
+// Test proxy with a custom target host.
 tap.test('should forward TCP connections to custom host', async () => {
-  // Create a new proxy instance with a custom host (targetIP)
   const customHostProxy = new PortProxy({
     fromPort: PROXY_PORT + 1,
     toPort: TEST_SERVER_PORT,
     targetIP: '127.0.0.1',
-    domains: [],
+    domainConfigs: [],
     sniEnabled: false,
     defaultAllowedIPs: ['127.0.0.1'],
     globalPortRanges: []
@@ -93,153 +89,151 @@ tap.test('should forward TCP connections to custom host', async () => {
   await customHostProxy.stop();
 });
 
-tap.test('should forward connections based on domain-specific target IP', async () => {
-  // Create a second test server on a different port
-  const TEST_SERVER_PORT_2 = TEST_SERVER_PORT + 100;
-  const testServer2 = await createTestServer(TEST_SERVER_PORT_2);
+// Test forced domain routing via port-range configuration.
+// In this test, we want to forward to a different IP (using '127.0.0.2')
+// while keeping the same port. We create a test server on '127.0.0.2'.
+tap.test('should forward connections based on domain-specific target IP (forced domain via port-range)', async () => {
+  const forcedProxyPort = PROXY_PORT + 2;
+  // Create a test server listening on '127.0.0.2' at forcedProxyPort.
+  const testServer2 = await createTestServer(forcedProxyPort, '127.0.0.2');
 
-  // Create a proxy with domain-specific target IPs
   const domainProxy = new PortProxy({
-    fromPort: PROXY_PORT + 2,
-    toPort: TEST_SERVER_PORT,  // default port (for non-port-range handling)
-    targetIP: 'localhost',     // default target IP
-    domains: [{
-      domain: 'domain1.test',
+    fromPort: forcedProxyPort,
+    toPort: TEST_SERVER_PORT, // default target port (unused for forced domain)
+    targetIP: 'localhost',
+    domainConfigs: [{
+      domains: ['forced.test'],
       allowedIPs: ['127.0.0.1'],
-      targetIP: '127.0.0.1'
-    }, {
-      domain: 'domain2.test',
-      allowedIPs: ['127.0.0.1'],
-      targetIP: 'localhost'
+      targetIPs: ['127.0.0.2'], // Use a different IP than the default.
+      portRanges: [{ from: forcedProxyPort, to: forcedProxyPort }]
     }],
     sniEnabled: false,
     defaultAllowedIPs: ['127.0.0.1'],
-    globalPortRanges: []
+    globalPortRanges: [{ from: forcedProxyPort, to: forcedProxyPort }]
   });
 
   await domainProxy.start();
 
-  // Test default connection (should use default targetIP)
-  const response1 = await createTestClient(PROXY_PORT + 2, TEST_DATA);
-  expect(response1).toEqual(`Echo: ${TEST_DATA}`);
-
-  // Create another proxy with a different default targetIP
-  const domainProxy2 = new PortProxy({
-    fromPort: PROXY_PORT + 3,
-    toPort: TEST_SERVER_PORT,
-    targetIP: '127.0.0.1',
-    domains: [],
-    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1'],
-    globalPortRanges: []
-  });
-
-  await domainProxy2.start();
-  const response2 = await createTestClient(PROXY_PORT + 3, TEST_DATA);
-  expect(response2).toEqual(`Echo: ${TEST_DATA}`);
+  // When connecting to forcedProxyPort, forced domain handling triggers,
+  // so the proxy will connect to '127.0.0.2' on the same port.
+  const response = await createTestClient(forcedProxyPort, TEST_DATA);
+  expect(response).toEqual(`Echo: ${TEST_DATA}`);
 
   await domainProxy.stop();
-  await domainProxy2.stop();
   await new Promise<void>((resolve) => testServer2.close(() => resolve()));
 });
 
+// Test handling of multiple concurrent connections.
 tap.test('should handle multiple concurrent connections', async () => {
   const concurrentRequests = 5;
-  const requests = Array(concurrentRequests).fill(null).map((_, i) => 
+  const requests = Array(concurrentRequests).fill(null).map((_, i) =>
     createTestClient(PROXY_PORT, `${TEST_DATA} ${i + 1}`)
   );
-  
   const responses = await Promise.all(requests);
-  
   responses.forEach((response, i) => {
     expect(response).toEqual(`Echo: ${TEST_DATA} ${i + 1}`);
   });
 });
 
+// Test connection timeout handling.
 tap.test('should handle connection timeouts', async () => {
   const client = new net.Socket();
   await new Promise<void>((resolve) => {
     client.connect(PROXY_PORT, 'localhost', () => {
-      // Don't send any data, just wait for timeout
-      client.on('close', () => {
-        resolve();
-      });
+      // Do not send any data to trigger a timeout.
+      client.on('close', () => resolve());
     });
   });
 });
 
+// Test stopping the port proxy.
 tap.test('should stop port proxy', async () => {
   await portProxy.stop();
   expect((portProxy as any).netServers.every((server: net.Server) => !server.listening)).toBeTrue();
 });
 
-// Cleanup chained proxies tests
+// Test chained proxies with and without source IP preservation.
 tap.test('should support optional source IP preservation in chained proxies', async () => {
-  // Test 1: Without IP preservation (default behavior)
+  // Chained proxies without IP preservation.
   const firstProxyDefault = new PortProxy({
     fromPort: PROXY_PORT + 4,
     toPort: PROXY_PORT + 5,
     targetIP: 'localhost',
-    domains: [],
+    domainConfigs: [],
     sniEnabled: false,
     defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'],
     globalPortRanges: []
   });
-
   const secondProxyDefault = new PortProxy({
     fromPort: PROXY_PORT + 5,
     toPort: TEST_SERVER_PORT,
     targetIP: 'localhost',
-    domains: [],
+    domainConfigs: [],
     sniEnabled: false,
     defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'],
     globalPortRanges: []
   });
-
   await secondProxyDefault.start();
   await firstProxyDefault.start();
-
-  // This should work because we explicitly allow both IPv4 and IPv6 formats
   const response1 = await createTestClient(PROXY_PORT + 4, TEST_DATA);
   expect(response1).toEqual(`Echo: ${TEST_DATA}`);
-
   await firstProxyDefault.stop();
   await secondProxyDefault.stop();
 
-  // Test 2: With IP preservation
+  // Chained proxies with IP preservation.
   const firstProxyPreserved = new PortProxy({
     fromPort: PROXY_PORT + 6,
     toPort: PROXY_PORT + 7,
     targetIP: 'localhost',
-    domains: [],
+    domainConfigs: [],
     sniEnabled: false,
     defaultAllowedIPs: ['127.0.0.1'],
     preserveSourceIP: true,
     globalPortRanges: []
   });
-
   const secondProxyPreserved = new PortProxy({
     fromPort: PROXY_PORT + 7,
     toPort: TEST_SERVER_PORT,
     targetIP: 'localhost',
-    domains: [],
+    domainConfigs: [],
     sniEnabled: false,
     defaultAllowedIPs: ['127.0.0.1'],
     preserveSourceIP: true,
     globalPortRanges: []
   });
-
   await secondProxyPreserved.start();
   await firstProxyPreserved.start();
-
-  // This should work with just IPv4 because source IP is preserved
   const response2 = await createTestClient(PROXY_PORT + 6, TEST_DATA);
   expect(response2).toEqual(`Echo: ${TEST_DATA}`);
-
   await firstProxyPreserved.stop();
   await secondProxyPreserved.stop();
 });
 
+// Test round-robin behavior for multiple target IPs in a domain config.
+tap.test('should use round robin for multiple target IPs in domain config', async () => {
+  const domainConfig = {
+    domains: ['rr.test'],
+    allowedIPs: ['127.0.0.1'],
+    targetIPs: ['hostA', 'hostB']
+  } as any;
+  
+  const proxyInstance = new PortProxy({
+    fromPort: 0,
+    toPort: 0,
+    targetIP: 'localhost',
+    domainConfigs: [domainConfig],
+    sniEnabled: false,
+    defaultAllowedIPs: [],
+    globalPortRanges: []
+  });
+  
+  const firstTarget = (proxyInstance as any).getTargetIP(domainConfig);
+  const secondTarget = (proxyInstance as any).getTargetIP(domainConfig);
+  expect(firstTarget).toEqual('hostA');
+  expect(secondTarget).toEqual('hostB');
+});
+
+// CLEANUP: Tear down the test server.
 tap.test('cleanup port proxy test environment', async () => {
   await new Promise<void>((resolve) => testServer.close(() => resolve()));
 });
@@ -248,7 +242,6 @@ process.on('exit', () => {
   if (testServer) {
     testServer.close();
   }
-  // Use a cast to access the private property for cleanup.
   if (portProxy && (portProxy as any).netServers) {
     portProxy.stop();
   }

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.17.0',
+  version: '3.20.1',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }

ts/classes.portproxy.ts

@@ -1,11 +1,12 @@
 import * as plugins from './plugins.js';
 
-/** Domain configuration with per‐domain allowed port ranges */
+/** Domain configuration with per-domain allowed port ranges */
 export interface IDomainConfig {
-  domain: string | string[];         // Glob pattern or patterns for domain(s)
-  allowedIPs: string[];              // Glob patterns for allowed IPs
-  targetIP?: string;                 // Optional target IP for this domain
-  portRanges?: Array<{ from: number; to: number }>; // Optional domain-specific allowed port ranges
+  domains: string[];         // Glob patterns for domain(s)
+  allowedIPs: string[];      // Glob patterns for allowed IPs
+  blockedIPs?: string[];     // Glob patterns for blocked IPs
+  targetIPs?: string[];      // If multiple targetIPs are given, use round robin.
+  portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
 }
 
 /** Port proxy settings including global allowed port ranges */
@@ -13,9 +14,10 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   fromPort: number;
   toPort: number;
   targetIP?: string; // Global target host to proxy to, defaults to 'localhost'
-  domains: IDomainConfig[];
+  domainConfigs: IDomainConfig[];
   sniEnabled?: boolean;
   defaultAllowedIPs?: string[];
+  defaultBlockedIPs?: string[];
   preserveSourceIP?: boolean;
   maxConnectionLifetime?: number; // (ms) force cleanup of long-lived connections
   globalPortRanges: Array<{ from: number; to: number }>; // Global allowed port ranges
@@ -90,11 +92,42 @@ interface IConnectionRecord {
   outgoing: plugins.net.Socket | null;
   incomingStartTime: number;
   outgoingStartTime?: number;
+  outgoingClosedTime?: number;
   lockedDomain?: string; // New field to lock this connection to the initial SNI
   connectionClosed: boolean;
   cleanupTimer?: NodeJS.Timeout; // Timer to force cleanup after max lifetime/inactivity
 }
 
+// Helper: Check if a port falls within any of the given port ranges.
+const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
+  return ranges.some(range => port >= range.from && port <= range.to);
+};
+
+// Helper: Check if a given IP matches any of the glob patterns.
+const isAllowed = (ip: string, patterns: string[]): boolean => {
+  const normalizeIP = (ip: string): string[] => {
+    if (ip.startsWith('::ffff:')) {
+      const ipv4 = ip.slice(7);
+      return [ip, ipv4];
+    }
+    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+      return [ip, `::ffff:${ip}`];
+    }
+    return [ip];
+  };
+  const normalizedIPVariants = normalizeIP(ip);
+  const expandedPatterns = patterns.flatMap(normalizeIP);
+  return normalizedIPVariants.some(ipVariant =>
+    expandedPatterns.some(pattern => plugins.minimatch(ipVariant, pattern))
+  );
+};
+
+// Helper: Check if an IP is allowed considering allowed and blocked glob patterns.
+const isGlobIPAllowed = (ip: string, allowed: string[], blocked: string[] = []): boolean => {
+  if (blocked.length > 0 && isAllowed(ip, blocked)) return false;
+  return isAllowed(ip, allowed);
+};
+
 export class PortProxy {
   private netServers: plugins.net.Server[] = [];
   settings: IPortProxySettings;
@@ -102,6 +135,9 @@ export class PortProxy {
   private connectionRecords: Set<IConnectionRecord> = new Set();
   private connectionLogger: NodeJS.Timeout | null = null;
 
+  // Map to track round robin indices for each domain config.
+  private domainTargetIndices: Map<IDomainConfig, number> = new Map();
+
   private terminationStats: {
     incoming: Record<string, number>;
     outgoing: Record<string, number>;
@@ -122,6 +158,43 @@ export class PortProxy {
     this.terminationStats[side][reason] = (this.terminationStats[side][reason] || 0) + 1;
   }
 
+  /**
+   * Cleans up a connection record if not already cleaned up.
+   * Destroys both incoming and outgoing sockets, clears timers, and removes the record.
+   * Logs the cleanup event.
+   */
+  private cleanupConnection(record: IConnectionRecord, special: boolean = false): void {
+    if (!record.connectionClosed) {
+      record.connectionClosed = true;
+      if (record.cleanupTimer) {
+        clearTimeout(record.cleanupTimer);
+      }
+      if (!record.incoming.destroyed) {
+        record.incoming.destroy();
+      }
+      if (record.outgoing && !record.outgoing.destroyed) {
+        record.outgoing.destroy();
+      }
+      this.connectionRecords.delete(record);
+      const remoteIP = record.incoming.remoteAddress || 'unknown';
+      if (special) {
+        console.log(`Special parity cleanup: Connection from ${remoteIP} cleaned up due to duration difference.`);
+      } else {
+        console.log(`Connection from ${remoteIP} terminated. Active connections: ${this.connectionRecords.size}`);
+      }
+    }
+  }
+
+  private getTargetIP(domainConfig: IDomainConfig): string {
+    if (domainConfig.targetIPs && domainConfig.targetIPs.length > 0) {
+      const currentIndex = this.domainTargetIndices.get(domainConfig) || 0;
+      const ip = domainConfig.targetIPs[currentIndex % domainConfig.targetIPs.length];
+      this.domainTargetIndices.set(domainConfig, currentIndex + 1);
+      return ip;
+    }
+    return this.settings.targetIP!;
+  }
+
   public async start() {
     // Define a unified connection handler for all listening ports.
     const connectionHandler = (socket: plugins.net.Socket) => {
@@ -140,18 +213,9 @@ export class PortProxy {
       let incomingTerminationReason: string | null = null;
       let outgoingTerminationReason: string | null = null;
 
-      // Ensure cleanup happens only once for the entire connection record.
-      const cleanupOnce = async () => {
-        if (!connectionRecord.connectionClosed) {
-          connectionRecord.connectionClosed = true;
-          if (connectionRecord.cleanupTimer) {
-            clearTimeout(connectionRecord.cleanupTimer);
-          }
-          if (!socket.destroyed) socket.destroy();
-          if (connectionRecord.outgoing && !connectionRecord.outgoing.destroyed) connectionRecord.outgoing.destroy();
-          this.connectionRecords.delete(connectionRecord);
-          console.log(`Connection from ${remoteIP} terminated. Active connections: ${this.connectionRecords.size}`);
-        }
+      // Local cleanup function that delegates to the class method.
+      const cleanupOnce = () => {
+        this.cleanupConnection(connectionRecord);
       };
 
       // Helper to reject an incoming connection.
@@ -199,6 +263,8 @@ export class PortProxy {
         } else if (side === 'outgoing' && outgoingTerminationReason === null) {
           outgoingTerminationReason = 'normal';
           this.incrementTerminationStat('outgoing', 'normal');
+          // Record the time when outgoing socket closed.
+          connectionRecord.outgoingClosedTime = Date.now();
         }
         cleanupOnce();
       };
@@ -214,26 +280,30 @@ export class PortProxy {
         // If a forcedDomain is provided (port-based routing), use it; otherwise, use SNI-based lookup.
         const domainConfig = forcedDomain
           ? forcedDomain
-          : (serverName ? this.settings.domains.find(config => {
-              if (typeof config.domain === 'string') {
-                return plugins.minimatch(serverName, config.domain);
-              } else {
-                return config.domain.some(d => plugins.minimatch(serverName, d));
-              }
-            }) : undefined);
+          : (serverName ? this.settings.domainConfigs.find(config =>
+              config.domains.some(d => plugins.minimatch(serverName, d))
+            ) : undefined);
 
-        // If a matching domain config exists, check its allowedIPs.
+        // Effective IP check: merge allowed IPs with default allowed, and remove blocked IPs.
         if (domainConfig) {
-          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${Array.isArray(domainConfig.domain) ? domainConfig.domain.join(', ') : domainConfig.domain}`);
+          const effectiveAllowedIPs: string[] = [
+            ...domainConfig.allowedIPs,
+            ...(this.settings.defaultAllowedIPs || [])
+          ];
+          const effectiveBlockedIPs: string[] = [
+            ...(domainConfig.blockedIPs || []),
+            ...(this.settings.defaultBlockedIPs || [])
+          ];
+          if (!isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
+            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domains.join(', ')}`);
           }
         } else if (this.settings.defaultAllowedIPs) {
-          // Only check default allowed IPs if no domain config matched.
-          if (!isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+          if (!isGlobIPAllowed(remoteIP, this.settings.defaultAllowedIPs, this.settings.defaultBlockedIPs || [])) {
             return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed by default allowed list`);
           }
         }
-        const targetHost = domainConfig?.targetIP || this.settings.targetIP!;
+
+        const targetHost = domainConfig ? this.getTargetIP(domainConfig) : this.settings.targetIP!;
         const connectionOptions: plugins.net.NetConnectOpts = {
           host: targetHost,
           port: overridePort !== undefined ? overridePort : this.settings.toPort,
@@ -248,7 +318,7 @@ export class PortProxy {
 
         console.log(
           `Connection established: ${remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-          `${serverName ? ` (SNI: ${serverName})` : forcedDomain ? ` (Port-based for domain: ${Array.isArray(forcedDomain.domain) ? forcedDomain.domain.join(', ') : forcedDomain.domain})` : ''}`
+          `${serverName ? ` (SNI: ${serverName})` : forcedDomain ? ` (Port-based for domain: ${forcedDomain.domains.join(', ')})` : ''}`
         );
 
         if (initialChunk) {
@@ -330,24 +400,33 @@ export class PortProxy {
           }
           console.log(`Port-based connection from ${remoteIP} on port ${localPort} forwarded to global target IP ${this.settings.targetIP}.`);
           setupConnection('', undefined, {
-            domain: 'global',
+            domains: ['global'],
             allowedIPs: this.settings.defaultAllowedIPs || [],
-            targetIP: this.settings.targetIP,
+            blockedIPs: this.settings.defaultBlockedIPs || [],
+            targetIPs: [this.settings.targetIP!],
             portRanges: []
           }, localPort);
           return;
         } else {
           // Attempt to find a matching forced domain config based on the local port.
-          const forcedDomain = this.settings.domains.find(
+          const forcedDomain = this.settings.domainConfigs.find(
             domain => domain.portRanges && domain.portRanges.length > 0 && isPortInRanges(localPort, domain.portRanges)
           );
           if (forcedDomain) {
-            if (!isAllowed(remoteIP, forcedDomain.allowedIPs)) {
-              console.log(`Connection from ${remoteIP} rejected: IP not allowed for domain ${Array.isArray(forcedDomain.domain) ? forcedDomain.domain.join(', ') : forcedDomain.domain} on port ${localPort}.`);
+            const effectiveAllowedIPs: string[] = [
+              ...forcedDomain.allowedIPs,
+              ...(this.settings.defaultAllowedIPs || [])
+            ];
+            const effectiveBlockedIPs: string[] = [
+              ...(forcedDomain.blockedIPs || []),
+              ...(this.settings.defaultBlockedIPs || [])
+            ];
+            if (!isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
+              console.log(`Connection from ${remoteIP} rejected: IP not allowed for domain ${forcedDomain.domains.join(', ')} on port ${localPort}.`);
               socket.end();
               return;
             }
-            console.log(`Port-based connection from ${remoteIP} on port ${localPort} matched domain ${Array.isArray(forcedDomain.domain) ? forcedDomain.domain.join(', ') : forcedDomain.domain}.`);
+            console.log(`Port-based connection from ${remoteIP} on port ${localPort} matched domain ${forcedDomain.domains.join(', ')}.`);
             setupConnection('', undefined, forcedDomain, localPort);
             return;
           }
@@ -370,15 +449,18 @@ export class PortProxy {
           // Lock the connection to the negotiated SNI.
           connectionRecord.lockedDomain = serverName;
           console.log(`Received connection from ${remoteIP} with SNI: ${serverName}`);
-          // Add an extra data listener to check for a renegotiated ClientHello.
-          socket.on('data', (chunk: Buffer) => {
-            if (chunk.length > 0 && chunk.readUInt8(0) === 22) {
-              const newSNI = extractSNI(chunk);
-              if (newSNI && newSNI !== connectionRecord.lockedDomain) {
-                console.log(`Rehandshake detected with different SNI: ${newSNI} vs locked ${connectionRecord.lockedDomain}. Terminating connection.`);
-                cleanupOnce();
+          // Delay adding the renegotiation listener until the next tick,
+          // so the initial ClientHello is not reprocessed.
+          setImmediate(() => {
+            socket.on('data', (renegChunk: Buffer) => {
+              if (renegChunk.length > 0 && renegChunk.readUInt8(0) === 22) {
+                const newSNI = extractSNI(renegChunk);
+                if (newSNI && newSNI !== connectionRecord.lockedDomain) {
+                  console.log(`Rehandshake detected with different SNI: ${newSNI} vs locked ${connectionRecord.lockedDomain}. Terminating connection.`);
+                  cleanupOnce();
+                }
               }
-            }
+            });
           });
           setupConnection(serverName, chunk);
         });
@@ -401,7 +483,7 @@ export class PortProxy {
           listeningPorts.add(port);
         }
       }
-      // Also ensure the default fromPort is listened to if it isn’t already in the ranges.
+      // Also ensure the default fromPort is listened to if it isn't already in the ranges.
       listeningPorts.add(this.settings.fromPort);
     } else {
       listeningPorts.add(this.settings.fromPort);
@@ -420,7 +502,7 @@ export class PortProxy {
       this.netServers.push(server);
     }
 
-    // Log active connection count and longest running durations every 10 seconds.
+    // Log active connection count, longest running durations, and run parity checks every 10 seconds.
     this.connectionLogger = setInterval(() => {
       const now = Date.now();
       let maxIncoming = 0;
@@ -430,6 +512,12 @@ export class PortProxy {
         if (record.outgoingStartTime) {
           maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
         }
+        // Parity check: if outgoing socket closed and incoming remains active for >1 minute, trigger special cleanup.
+        if (record.outgoingClosedTime && !record.incoming.destroyed && (now - record.outgoingClosedTime > 60000)) {
+          const remoteIP = record.incoming.remoteAddress || 'unknown';
+          console.log(`Parity check triggered: Incoming socket for ${remoteIP} has been active >1 minute after outgoing closed.`);
+          this.cleanupConnection(record, true);
+        }
       }
       console.log(
         `(Interval Log) Active connections: ${this.connectionRecords.size}. ` +
@@ -454,28 +542,4 @@ export class PortProxy {
     }
     await Promise.all(closePromises);
   }
-}
-
-// Helper: Check if a port falls within any of the given port ranges.
-const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
-  return ranges.some(range => port >= range.from && port <= range.to);
-};
-
-// Helper: Check if a given IP matches any of the glob patterns.
-const isAllowed = (ip: string, patterns: string[]): boolean => {
-  const normalizeIP = (ip: string): string[] => {
-    if (ip.startsWith('::ffff:')) {
-      const ipv4 = ip.slice(7);
-      return [ip, ipv4];
-    }
-    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
-      return [ip, `::ffff:${ip}`];
-    }
-    return [ip];
-  };
-  const normalizedIPVariants = normalizeIP(ip);
-  const expandedPatterns = patterns.flatMap(normalizeIP);
-  return normalizedIPVariants.some(ipVariant =>
-    expandedPatterns.some(pattern => plugins.minimatch(ipVariant, pattern))
-  );
-};
+}