3.29.0

feat(IPTablesProxy): Enhanced IPTablesProxy with multi-port and IPv6 support
3.28.6
2025-03-07 14:30:38 +00:00 · 2025-03-07 14:30:38 +00:00 · 2025-03-07 11:16:45 +00:00 · 2025-03-07 11:16:44 +00:00 · 2025-03-07 02:55:19 +00:00 · 2025-03-07 02:55:19 +00:00
21 changed files with 7038 additions and 736 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,529 @@
 # Changelog
 ## 2025-03-07 - 3.29.0 - feat(IPTablesProxy)
 Enhanced IPTablesProxy with multi-port and IPv6 support
 - Added support for specifying multiple ports and port ranges, allowing for more complex network proxy configurations.
 - Introduced IPv6 support to allow handling of IPv6 addressed networks.
 - Implemented more detailed logging and error handling features to improve debugging capabilities.
 - Enhanced integration options with NetworkProxy, allowing for a more seamless routing and termination process.
 - Restructured the initialization and validation process to ensure robust handling of configuration settings.
 ## 2025-03-07 - 3.28.6 - fix(PortProxy)
 Adjust default timeout settings and enhance keep-alive connection handling in PortProxy.
 - Updated default value for maxConnectionLifetime to 24 hours and inactivityTimeout to 4 hours.
 - Introduced enhanced settings for treating keep-alive connections as 'extended' or 'immortal'.
 - Modified logic to avoid closing keep-alive connections unnecessarily by adding inactivity warnings and grace periods.
 ## 2025-03-07 - 3.28.5 - fix(core)
 Ensure proper resource cleanup during server shutdown.
 - Fixed potential hanging of server shutdown due to improper cleanup in promise handling.
 - Corrected potential memory leaks by ensuring all pending and active connections are properly closed during shutdown.
 ## 2025-03-07 - 3.28.4 - fix(router)
 Improve path pattern matching and hostname prioritization in router
 - Enhance path pattern matching capabilities
 - Ensure hostname prioritization in routing logic
 ## 2025-03-06 - 3.28.3 - fix(PortProxy)
 Ensure timeout values are within Node.js safe limits
 - Implemented `ensureSafeTimeout` to keep timeout values under the maximum safe integer for Node.js.
 - Updated timeout configurations in `PortProxy` to include safety checks.
 ## 2025-03-06 - 3.28.2 - fix(portproxy)
 Adjust safe timeout defaults in PortProxy to prevent overflow issues.
 - Adjusted socketTimeout to maximum safe limit (~24.8 days) for PortProxy.
 - Adjusted maxConnectionLifetime to maximum safe limit (~24.8 days) for PortProxy.
 - Ensured enhanced default timeout settings in PortProxy.
 ## 2025-03-06 - 3.28.1 - fix(PortProxy)
 Improved code formatting and readability in PortProxy class by adjusting spacing and comments.
 - Adjusted comment and spacing for better code readability.
 - No functional changes made in the PortProxy class.
 ## 2025-03-06 - 3.28.0 - feat(router)
 Add detailed routing tests and refactor ProxyRouter for improved path matching
 - Implemented a comprehensive test suite for the ProxyRouter class to ensure accurate routing based on hostnames and path patterns.
 - Refactored the ProxyRouter to enhance path matching logic with improvements in wildcard and parameter handling.
 - Improved logging capabilities within the ProxyRouter for enhanced debugging and info level insights.
 - Optimized the data structures for storing and accessing proxy configurations to reduce overhead in routing operations.
 ## 2025-03-06 - 3.27.0 - feat(AcmeCertManager)
 Introduce AcmeCertManager for enhanced ACME certificate management
 - Refactored the existing Port80Handler to AcmeCertManager.
 - Added event-driven certificate management with CertManagerEvents.
 - Introduced options for configuration such as renew thresholds and production mode.
 - Implemented certificate renewal checks and logging improvements.
 ## 2025-03-05 - 3.26.0 - feat(readme)
 Updated README with enhanced TLS handling, connection management, and troubleshooting sections.
 - Added details on enhanced TLS handling and browser compatibility improvements.
 - Included advanced connection management features like random timeout prevention.
 - Provided comprehensive troubleshooting tips for browser certificate errors and connection stability.
 - Clarified default configuration options and optimization settings for PortProxy.
 ## 2025-03-05 - 3.25.4 - fix(portproxy)
 Improve connection timeouts and detailed logging for PortProxy
 - Refactored timeout management for connections to include enhanced defaults and prevent thundering herd.
 - Improved support for TLS handshake detection with logging capabilities in PortProxy.
 - Removed protocol-specific handling which is now managed generically.
 - Introduced enhanced logging for SNI extraction and connection management.
 ## 2025-03-05 - 3.25.3 - fix(core)
 Update dependencies and configuration improvements.
 - Upgrade TypeScript version to 5.8.2 for better compatibility.
 - Ensure all proxy and server tests pass with updated configurations.
 - Improve logging for better traceability in proxy operations.
 - Add handlers for WebSockets and HTTPS improvements.
 - Fix various issues related to proxy timeout and connection handling.
 - Update test certificates validation for better test coverage.
 ## 2025-03-05 - 3.25.2 - fix(PortProxy)
 Adjust timeout settings and handle inactivity properly in PortProxy.
 - Changed initialDataTimeout default to 30 seconds for better handling of initial data reception.
 - Adjusted keepAliveInitialDelay to 30 seconds for consistent socket optimization.
 - Introduced proper inactivity handling with updated timeout logic.
 - Parity check now accounts for a 120-second threshold for outgoing socket closure.
 ## 2025-03-05 - 3.25.1 - fix(PortProxy)
 Adjust inactivity threshold to a random value between 20 and 30 minutes for better variability
 - Modified inactivity threshold calculation within PortProxy to use a random value between 1.2 and 1.8 million milliseconds.
 ## 2025-03-05 - 3.25.0 - feat(PortProxy)
 Enhanced PortProxy with detailed logging, protocol detection, and rate limiting.
 - Added detailed logging capabilities for connection tracking in the PortProxy.
 - Introduced protocol detection allowing HTTP and WebSocket upgrades.
 - Implemented rate limiting for connections by IP.
 - Enhanced timeout handling for various protocol-specific scenarios.
 ## 2025-03-05 - 3.24.0 - feat(core)
 Enhance core functionalities and test coverage for NetworkProxy and PortProxy
 - Added maximum connections, timeout settings, log levels, and CORS support in NetworkProxy.
 - Improved WebSocket handling with heartbeat and metrics tracking.
 - Enhanced connection management in PortProxy with optimizations for socket settings.
 - SNI and IP validation improvements.
 - Updates to test cases for comprehensive coverage.
 ## 2025-03-05 - 3.23.1 - fix(PortProxy)
 Enhanced connection setup to handle pending data buffering before establishing outgoing connection
 - Introduced pending data buffering to address issues with data reception before outgoing connection is fully established.
 - Removed immediate data piping in favor of buffering to ensure complete initial data transfer.
 - Added temporary data handler to collect incoming data during connection setup for precise activity tracking.
 ## 2025-03-03 - 3.23.0 - feat(documentation)
 Updated documentation with architecture flow diagrams.
 - Added detailed architecture and flow diagrams for SmartProxy components.
 - Included HTTPS Reverse Proxy Flow diagram.
 - Integrated Port Proxy with SNI-based Routing diagram.
 - Added Let's Encrypt Certificate Acquisition flow.
 ## 2025-03-03 - 3.22.5 - fix(documentation)
 Refactored readme for clarity and consistency, fixed documentation typos
 - Updated readme to improve clarity and remove redundant information.
 - Fixed minor documentation issues in the code comments.
 - Reorganized readme structure for better readability.
 - Improved sample code snippets for easier understanding.
 ## 2025-03-03 - 3.22.4 - fix(core)
 Addressed minor issues in the core modules to improve stability and performance.
 ## 2025-03-03 - 3.22.3 - fix(core)
 Improve connection management and error handling in PortProxy
 - Refactored connection cleanup to handle errors more gracefully.
 - Introduced comprehensive comments for better code understanding.
 - Revised SNI data timeout logic for connection handling.
 - Enhanced logging and error reporting during connection management.
 - Improved inactivity checks and parity checks for existing connections.
 ## 2025-03-03 - 3.22.2 - fix(portproxy)
 Refactored connection cleanup logic in PortProxy
 - Simplified the connection cleanup logic by removing redundant methods.
 - Consolidated the cleanup initiation and execution into a single cleanup method.
 - Improved error handling by ensuring connections are closed appropriately.
 ## 2025-03-03 - 3.22.1 - fix(PortProxy)
 Fix connection timeout and IP validation handling for PortProxy
 - Adjusted initial data timeout setting for SNI-enabled connections in PortProxy.
 - Restored IP validation logic to original behavior, ensuring compatibility with domain configurations.
 ## 2025-03-03 - 3.22.0 - feat(classes.portproxy)
 Enhanced PortProxy to support initial data timeout and improved IP handling
 - Added `initialDataTimeout` to PortProxy settings for handling data flow in chained proxies.
 - Improved IP validation by allowing relaxed checks in chained proxy setups.
 - Introduced dynamic logging for connection lifecycle and proxy configurations.
 - Enhanced timeout handling for better proxy resilience.
 ## 2025-03-03 - 3.21.0 - feat(PortProxy)
 Enhancements to connection management in PortProxy
 - Introduced a unique ID for each connection record for improved tracking.
 - Enhanced cleanup mechanism for connections with dual states: initiated and executed.
 - Implemented shutdown process handling to ensure graceful connection closure.
 - Added logging for better tracing of connection activities and states.
 - Improved connection setup with explicit timeouts and data flow management.
 - Integrated inactivity and parity checks to monitor connection health.
 ## 2025-03-01 - 3.20.2 - fix(PortProxy)
 Enhance connection cleanup handling in PortProxy
 - Add checks to ensure timers are reset only if outgoing socket is active
 - Prevent setting outgoingActive if the connection is already closed
 ## 2025-03-01 - 3.20.1 - fix(PortProxy)
 Improve IP allowance check for forced domains
 - Enhanced IP allowance check logic by incorporating blocked IPs and default allowed IPs for forced domains within port proxy configurations.
 ## 2025-03-01 - 3.20.0 - feat(PortProxy)
 Enhance PortProxy with advanced connection cleanup and logging
 - Introduced `cleanupConnection` method for improved connection management.
 - Added logging for connection cleanup including special conditions.
 - Implemented parity check to clean up connections when outgoing side closes but incoming remains active.
 - Improved logging during interval checks for active connections and their durations.
 ## 2025-03-01 - 3.19.0 - feat(PortProxy)
 Enhance PortProxy with default blocked IPs
 - Introduced defaultBlockedIPs in IPortProxySettings to handle globally blocked IPs.
 - Added logic for merging domain-specific and default allowed and blocked IPs for effective IP filtering.
 - Refactored helper functions for IP and port range checks to improve modularity in PortProxy.
 ## 2025-02-27 - 3.18.2 - fix(portproxy)
 Fixed typographical errors in comments within PortProxy class.
 - Corrected typographical errors in comments within the PortProxy class.
 ## 2025-02-27 - 3.18.1 - fix(PortProxy)
 Refactor and enhance PortProxy test cases and handling
 - Refactored test cases in test/test.portproxy.ts for clarity and added coverage.
 - Improved TCP server helper functions for better flexibility.
 - Fixed issues with domain handling in PortProxy configuration.
 - Introduced round-robin logic for multi-IP domains in PortProxy.
 - Ensured proper cleanup and stopping of test servers in the test suite.
 ## 2025-02-27 - 3.18.0 - feat(PortProxy)
 Add SNI-based renegotiation handling in PortProxy
 - Introduced a new field 'lockedDomain' in IConnectionRecord to store initial SNI.
 - Enhanced connection management by enforcing termination if rehandshake is detected with different SNI.
 ## 2025-02-27 - 3.17.1 - fix(PortProxy)
 Fix handling of SNI re-negotiation in PortProxy
 - Removed connection locking to the initially negotiated SNI
 - Improved handling of SNI during renegotiation in PortProxy
 ## 2025-02-27 - 3.17.0 - feat(smartproxy)
 Enhance description clarity and improve SNI handling with domain locking.
 - Improved package description in package.json, readme.md, and npmextra.json for better clarity and keyword optimization.
 - Enhanced SNI handling in PortProxy by adding domain locking and extra checks to terminate connections if a different SNI is detected post-handshake.
 - Refactored readme.md to better explain the usage and functionalities of the proxy features including SSL redirection, WebSocket handling, and dynamic routing.
 ## 2025-02-27 - 3.16.9 - fix(portproxy)
 Extend domain input validation to support string arrays in port proxy configurations.
 - Modify IDomainConfig interface to allow domain specification as string array.
 - Update connection setup logic to handle multiple domain patterns.
 - Enhance domain rejection logging to include all domain patterns.
 ## 2025-02-27 - 3.16.8 - fix(PortProxy)
 Fix IP filtering for domain and global default allowed lists and improve port-based routing logic.
 - Improved logic to prioritize domain-specific allowed IPs over global defaults.
 - Fixed port-based rules application to handle global port ranges more effectively.
 - Enhanced rejection handling for unauthorized IP addresses in both domain-specific and default global lists.
 ## 2025-02-27 - 3.16.7 - fix(PortProxy)
 Improved IP validation logic in PortProxy to ensure correct domain matching and fallback
 - Refactored the setupConnection function inside PortProxy to enhance IP address validation.
 - Domain-specific allowed IP preference is applied before default list lookup.
 - Removed redundant condition checks to streamline connection rejection paths.
 ## 2025-02-27 - 3.16.6 - fix(PortProxy)
 Optimize connection cleanup logic in PortProxy by removing unnecessary delays.
 - Removed multiple await plugins.smartdelay.delayFor(0) calls.
 - Improved performance by ensuring timely resource release during connection termination.
 ## 2025-02-27 - 3.16.5 - fix(PortProxy)
 Improved connection cleanup process with added asynchronous delays
 - Connection cleanup now includes asynchronous delays for reliable order of operations.
 ## 2025-02-27 - 3.16.4 - fix(PortProxy)
 Fix and enhance port proxy handling
 - Ensure that all created proxy servers are correctly checked for listening state.
 - Corrected the handling of ports and domain configurations within port proxy setups.
 - Expanded test coverage for handling multiple concurrent and chained proxy connections.
 ## 2025-02-27 - 3.16.3 - fix(PortProxy)
 Refactored PortProxy to support multiple listening ports and improved modularity.
 - Updated PortProxy to allow multiple listening ports with flexible configuration.
 - Moved helper functions for IP and port range checks outside the class for cleaner code structure.
 ## 2025-02-27 - 3.16.2 - fix(PortProxy)
 Fix port-based routing logic in PortProxy
 - Optimized the handling and checking of local ports in the global port range.
 - Fixed the logic for rejecting or accepting connections based on predefined port ranges.
 - Improved handling of the default and specific domain configurations during port-based connections.
 ## 2025-02-27 - 3.16.1 - fix(core)
 Updated minor version numbers in dependencies for patch release.
 - No specific file changes detected.
 - Dependencies versioning adjusted for stability.
 ## 2025-02-27 - 3.16.0 - feat(PortProxy)
 Enhancements made to PortProxy settings and capabilities
 - Added 'forwardAllGlobalRanges' and 'targetIP' to IPortProxySettings.
 - Improved PortProxy to forward connections based on domain-specific configurations.
 - Added comprehensive handling for global port-range based connection forwarding.
 - Enabled forwarding of all connections on global port ranges directly to global target IP.
 ## 2025-02-27 - 3.15.0 - feat(classes.portproxy)
 Add support for port range-based routing with enhanced IP and port validation.
 - Introduced globalPortRanges in IPortProxySettings for routing based on port ranges.
 - Improved connection handling with port range and domain configuration validations.
 - Updated connection logging to include the local port information.
 ## 2025-02-26 - 3.14.2 - fix(PortProxy)
 Fix cleanup timer reset for PortProxy
 - Resolved an issue where the cleanup timer in the PortProxy class did not reset correctly if both incoming and outgoing data events were triggered without clearing flags.
 ## 2025-02-26 - 3.14.1 - fix(PortProxy)
 Increased default maxConnectionLifetime for PortProxy to 600000 ms
 - Updated PortProxy settings to extend default maxConnectionLifetime to 10 minutes.
 ## 2025-02-26 - 3.14.0 - feat(PortProxy)
 Introduce max connection lifetime feature
 - Added an optional maxConnectionLifetime setting for PortProxy.
 - Forces cleanup of long-lived connections based on inactivity or lifetime limit.
 ## 2025-02-25 - 3.13.0 - feat(core)
 Add support for tagging iptables rules with comments and cleaning them up on process exit
 - Extended IPTablesProxy class to include tagging rules with unique comments.
 - Added feature to clean up iptables rules via comments during process exit.
 ## 2025-02-24 - 3.12.0 - feat(IPTablesProxy)
 Introduce IPTablesProxy class for managing iptables NAT rules
 - Added IPTablesProxy class to facilitate basic port forwarding using iptables.
 - Introduced IIpTableProxySettings interface for configuring IPTablesProxy.
 - Implemented start and stop methods for managing iptables rules dynamically.
 ## 2025-02-24 - 3.11.0 - feat(Port80Handler)
 Add automatic certificate issuance with ACME client
 - Implemented automatic certificate issuance using 'acme-client' for Port80Handler.
 - Converts account key and CSR from Buffers to strings for processing.
 - Implemented HTTP-01 challenge handling for certificate acquisition.
 - New certificates are fetched and added dynamically.
 ## 2025-02-24 - 3.10.5 - fix(portproxy)
 Fix incorrect import path in test file
 - Change import path from '../ts/smartproxy.portproxy.js' to '../ts/classes.portproxy.js' in test/test.portproxy.ts
 ## 2025-02-23 - 3.10.4 - fix(PortProxy)
 Refactor connection tracking to utilize unified records in PortProxy
 - Implemented a unified record system for tracking incoming and outgoing connections.
 - Replaced individual connection tracking sets with a Set of IConnectionRecord.
 - Improved logging of connection activities and statistics.
 ## 2025-02-23 - 3.10.3 - fix(PortProxy)
 Refactor and optimize PortProxy for improved readability and maintainability
 - Simplified and clarified inline comments.
 - Optimized the extractSNI function for better readability.
 - Streamlined the cleanup process for connections in PortProxy.
 - Improved handling and logging of incoming and outgoing connections.
 ## 2025-02-23 - 3.10.2 - fix(PortProxy)
 Fix connection handling to include timeouts for SNI-enabled connections.
 - Added initial data timeout for SNI-enabled connections to improve connection handling.
 - Cleared timeout once data is received to prevent premature socket closure.
 ## 2025-02-22 - 3.10.1 - fix(PortProxy)
 Improve socket cleanup logic to prevent potential resource leaks
 - Updated socket cleanup in PortProxy to ensure sockets are forcefully destroyed if not already destroyed.
 ## 2025-02-22 - 3.10.0 - feat(smartproxy.portproxy)
 Enhance PortProxy with detailed connection statistics and termination tracking
 - Added tracking of termination statistics for incoming and outgoing connections
 - Enhanced logging to include detailed termination statistics
 - Introduced helpers to update and log termination stats
 - Retained detailed connection duration and active connection logging
 ## 2025-02-22 - 3.9.4 - fix(PortProxy)
 Ensure proper cleanup on connection rejection in PortProxy
 - Added cleanup calls after socket end in connection rejection scenarios within PortProxy
 ## 2025-02-21 - 3.9.3 - fix(PortProxy)
 Fix handling of optional outgoing socket in PortProxy
 - Refactored the cleanUpSockets function to correctly handle cases where the outgoing socket may be undefined.
 - Ensured correct handling of socket events with non-null assertions where applicable.
 - Improved robustness in connection establishment and cleanup processes.
 ## 2025-02-21 - 3.9.2 - fix(PortProxy)
 Improve timeout handling for port proxy connections
 - Added console logging for both incoming and outgoing side timeouts in the PortProxy class.
 - Updated the timeout event handlers to ensure proper cleanup of connections.
 ## 2025-02-21 - 3.9.1 - fix(dependencies)
 Ensure correct ordering of dependencies and improve logging format.
 - Reorder dependencies in package.json for better readability.
 - Use pretty-ms for displaying time durations in logs.
 ## 2025-02-21 - 3.9.0 - feat(smartproxy.portproxy)
 Add logging of connection durations to PortProxy
 - Track start times for incoming and outgoing connections.
 - Log duration of longest running incoming and outgoing connections every 10 seconds.
 ## 2025-02-21 - 3.8.1 - fix(plugins)
 Simplified plugin import structure across codebase
 - Consolidated plugin imports under a single 'plugins.ts' file.
 - Replaced individual plugin imports in smartproxy files with the consolidated plugin imports.
 - Fixed error handling for early socket errors in PortProxy setup.
 ## 2025-02-21 - 3.8.0 - feat(PortProxy)
 Add active connection tracking and logging in PortProxy
 - Implemented a feature to track active incoming connections in PortProxy.
 - Active connections are now logged every 10 seconds for monitoring purposes.
 - Refactored connection handling to ensure proper cleanup and logging.
 ## 2025-02-21 - 3.7.3 - fix(portproxy)
 Fix handling of connections in PortProxy to improve stability and performance.
 - Improved IP normalization and matching
 - Better SNI extraction and handling for TLS
 - Streamlined connection handling with robust error management
 ## 2025-02-21 - 3.7.2 - fix(PortProxy)
 Improve SNICallback and connection handling in PortProxy
 - Fixed SNICallback to create minimal TLS context for SNI.
 - Changed connection setup to use net.connect for raw passthrough.
 ## 2025-02-21 - 3.7.1 - fix(smartproxy.portproxy)
 Optimize SNI handling by simplifying context creation
 - Removed unnecessary SecureContext creation for SNI requests in PortProxy
 - Improved handling of SNI passthrough by acknowledging requests without context creation
 ## 2025-02-21 - 3.7.0 - feat(PortProxy)
 Add optional source IP preservation support in PortProxy
 - Added a feature to optionally preserve the client's source IP when proxying connections.
 - Enhanced test cases to include scenarios for source IP preservation.
 ## 2025-02-21 - 3.6.0 - feat(PortProxy)
 Add feature to preserve original client IP through chained proxies
 - Added support to bind local address in PortProxy to preserve original client IP.
 - Implemented test for chained proxies to ensure client IP is preserved.
 ## 2025-02-21 - 3.5.0 - feat(PortProxy)
 Enhance PortProxy to support domain-specific target IPs
 - Introduced support for domain-specific target IP configurations in PortProxy.
 - Updated connection handling to prioritize domain-specific target IPs if provided.
 - Added tests to verify forwarding based on domain-specific target IPs.
 ## 2025-02-21 - 3.4.4 - fix(PortProxy)
 Fixed handling of SNI domain connections and IP allowance checks
 - Improved logic for handling SNI domain checks, ensuring IPs are correctly verified.
 - Fixed issue where default allowed IPs were not being checked correctly for non-SNI connections.
 - Revised the SNICallback behavior to handle connections more gracefully when domain configurations are unavailable.
 ## 2025-02-21 - 3.4.3 - fix(PortProxy)
 Fixed indentation issue and ensured proper cleanup of sockets in PortProxy
 - Fixed inconsistent indentation in IP allowance check.
 - Ensured proper cleanup of sockets on connection end in PortProxy.
 ## 2025-02-21 - 3.4.2 - fix(smartproxy)
 Enhance SSL/TLS handling with SNI and error logging
 - Improved handling for SNI-enabled and non-SNI connections
 - Added detailed logging for connection establishment and rejections
 - Introduced error logging for TLS client errors and server errors
 ## 2025-02-21 - 3.4.1 - fix(PortProxy)
 Normalize IP addresses for port proxy to handle IPv4-mapped IPv6 addresses.
 - Improved IP normalization logic in PortProxy to support IPv4-mapped IPv6 addresses.
 - Updated isAllowed function to expand patterns for better matching accuracy.
 ## 2025-02-21 - 3.4.0 - feat(PortProxy)
 Enhanced PortProxy with custom target host and improved testing
 - PortProxy constructor now accepts 'fromPort', 'toPort', and optional 'toHost' directly from settings
 - Refactored test cases to cover forwarding to the custom host
 - Added support to handle multiple concurrent connections
 - Refactored internal connection handling logic to utilize default configurations
 ## 2025-02-21 - 3.3.1 - fix(PortProxy)
 fixed import usage of net and tls libraries for PortProxy
 - Corrected the use of plugins for importing 'tls' and 'net' libraries in the PortProxy module.
 - Updated the constructor of PortProxy to accept combined tls options with ProxySettings.
 ## 2025-02-21 - 3.3.0 - feat(PortProxy)
 Enhanced PortProxy with domain and IP filtering, SNI support, and minimatch integration
 - Added new ProxySettings interface to configure domain patterns, SNI, and default allowed IPs.
 - Integrated minimatch to filter allowed IPs and domains.
 - Enabled SNI support for PortProxy connections.
 - Updated port proxy test to accommodate new settings.
 ## 2025-02-04 - 3.2.0 - feat(testing)
 Added a comprehensive test suite for the PortProxy class
--- a/npmextra.json
+++ b/npmextra.json
@ -5,22 +5,26 @@
      "githost": "code.foss.global",
      "gitscope": "push.rocks",
      "gitrepo": "smartproxy",
-      "description": "a proxy for handling high workloads of proxying",
+      "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
      "npmPackagename": "@push.rocks/smartproxy",
      "license": "MIT",
      "projectDomain": "push.rocks",
      "keywords": [
        "proxy",
-        "network traffic",
+        "network",
        "traffic management",
        "SSL",
        "TLS",
        "WebSocket",
        "port proxying",
        "dynamic routing",
        "authentication",
        "real-time applications",
        "high workload",
-        "http",
+        "HTTPS",
        "https",
        "websocket",
        "network routing",
        "ssl redirect",
        "port mapping",
        "reverse proxy",
-        "authentication"
+        "server",
        "network security"
      ]
    }
  },
--- a/package.json
+++ b/package.json
@ -1,8 +1,8 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "3.2.0",
+  "version": "3.29.0",
  "private": false,
-  "description": "a proxy for handling high workloads of proxying",
+  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
  "main": "dist_ts/index.js",
  "typings": "dist_ts/index.d.ts",
  "type": "module",
@ -15,22 +15,26 @@
    "buildDocs": "tsdoc"
  },
  "devDependencies": {
-    "@git.zone/tsbuild": "^2.1.66",
+    "@git.zone/tsbuild": "^2.2.6",
    "@git.zone/tsrun": "^1.2.44",
    "@git.zone/tstest": "^1.0.77",
    "@push.rocks/tapbundle": "^5.5.6",
-    "@types/node": "^22.13.0",
+    "@types/node": "^22.13.9",
-    "typescript": "^5.7.3"
+    "typescript": "^5.8.2"
  },
  "dependencies": {
    "@push.rocks/lik": "^6.1.0",
    "@push.rocks/smartdelay": "^3.0.5",
-    "@push.rocks/smartpromise": "^4.2.2",
+    "@push.rocks/smartpromise": "^4.2.3",
    "@push.rocks/smartrequest": "^2.0.23",
    "@push.rocks/smartstring": "^4.0.15",
-    "@tsclass/tsclass": "^4.4.0",
+    "@tsclass/tsclass": "^4.4.3",
-    "@types/ws": "^8.5.14",
+    "@types/minimatch": "^5.1.2",
-    "ws": "^8.18.0"
+    "@types/ws": "^8.18.0",
    "acme-client": "^5.4.0",
    "minimatch": "^10.0.1",
    "pretty-ms": "^9.2.0",
    "ws": "^8.18.1"
  },
  "files": [
    "ts/**/*",
@ -49,16 +53,20 @@
  ],
  "keywords": [
    "proxy",
-    "network traffic",
+    "network",
    "traffic management",
    "SSL",
    "TLS",
    "WebSocket",
    "port proxying",
    "dynamic routing",
    "authentication",
    "real-time applications",
    "high workload",
-    "http",
+    "HTTPS",
    "https",
    "websocket",
    "network routing",
    "ssl redirect",
    "port mapping",
    "reverse proxy",
-    "authentication"
+    "server",
    "network security"
  ],
  "homepage": "https://code.foss.global/push.rocks/smartproxy#readme",
  "repository": {
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/readme.md
+++ b/readme.md
@ -1,104 +1,479 @@
 # @push.rocks/smartproxy
-A proxy for handling high workloads of proxying.
+A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.
-## Install
+## Architecture & Flow Diagrams
-To install `@push.rocks/smartproxy`, run the following command in your project's root directory:
+### Component Architecture
 The diagram below illustrates the main components of SmartProxy and how they interact:
-```bash
+```mermaid
-npm install @push.rocks/smartproxy --save
+flowchart TB
    Client([Client])
    subgraph "SmartProxy Components"
        direction TB
        HTTP80[HTTP Port 80\nSslRedirect]
        HTTPS443[HTTPS Port 443\nNetworkProxy]
        PortProxy[TCP Port Proxy\nwith SNI routing]
        IPTables[IPTablesProxy]
        Router[ProxyRouter]
        ACME[Port80Handler\nACME/Let's Encrypt]
        Certs[(SSL Certificates)]
    end
    subgraph "Backend Services"
        Service1[Service 1]
        Service2[Service 2]
        Service3[Service 3]
    end
    Client -->|HTTP Request| HTTP80
    HTTP80 -->|Redirect| Client
    Client -->|HTTPS Request| HTTPS443
    Client -->|TLS/TCP| PortProxy
    HTTPS443 -->|Route Request| Router
    Router -->|Proxy Request| Service1
    Router -->|Proxy Request| Service2
    PortProxy -->|Direct TCP| Service2
    PortProxy -->|Direct TCP| Service3
    IPTables -.->|Low-level forwarding| PortProxy
    HTTP80 -.->|Challenge Response| ACME
    ACME -.->|Generate/Manage| Certs
    Certs -.->|Provide TLS Certs| HTTPS443
    classDef component fill:#f9f,stroke:#333,stroke-width:2px;
    classDef backend fill:#bbf,stroke:#333,stroke-width:1px;
    classDef client fill:#dfd,stroke:#333,stroke-width:2px;
    class Client client;
    class HTTP80,HTTPS443,PortProxy,IPTables,Router,ACME component;
    class Service1,Service2,Service3 backend;
 ```
-This will add `@push.rocks/smartproxy` to your project's dependencies.
+### HTTPS Reverse Proxy Flow
 This diagram shows how HTTPS requests are handled and proxied to backend services:
 ```mermaid
 sequenceDiagram
    participant Client
    participant NetworkProxy
    participant ProxyRouter
    participant Backend
    Client->>NetworkProxy: HTTPS Request
    Note over NetworkProxy: TLS Termination
    NetworkProxy->>ProxyRouter: Route Request
    ProxyRouter->>ProxyRouter: Match hostname to config
    alt Authentication Required
        NetworkProxy->>Client: Request Authentication
        Client->>NetworkProxy: Send Credentials
        NetworkProxy->>NetworkProxy: Validate Credentials
    end
    NetworkProxy->>Backend: Forward Request
    Backend->>NetworkProxy: Response
    Note over NetworkProxy: Add Default Headers
    NetworkProxy->>Client: Forward Response
    alt WebSocket Request
        Client->>NetworkProxy: Upgrade to WebSocket
        NetworkProxy->>Backend: Upgrade to WebSocket
        loop WebSocket Active
            Client->>NetworkProxy: WebSocket Message
            NetworkProxy->>Backend: Forward Message
            Backend->>NetworkProxy: WebSocket Message
            NetworkProxy->>Client: Forward Message
            NetworkProxy-->>NetworkProxy: Heartbeat Check
        end
    end
 ```
 ### Port Proxy with SNI-based Routing
 This diagram illustrates how TCP connections with SNI (Server Name Indication) are processed and forwarded:
 ```mermaid
 sequenceDiagram
    participant Client
    participant PortProxy
    participant Backend
    Client->>PortProxy: TLS Connection
    alt SNI Enabled
        PortProxy->>Client: Accept Connection
        Client->>PortProxy: TLS ClientHello with SNI
        PortProxy->>PortProxy: Extract SNI Hostname
        PortProxy->>PortProxy: Match Domain Config
        PortProxy->>PortProxy: Validate Client IP
        alt IP Allowed
            PortProxy->>Backend: Forward Connection
            Note over PortProxy,Backend: Bidirectional Data Flow
        else IP Rejected
            PortProxy->>Client: Close Connection
        end
    else Port-based Routing
        PortProxy->>PortProxy: Match Port Range
        PortProxy->>PortProxy: Find Domain Config
        PortProxy->>PortProxy: Validate Client IP
        alt IP Allowed
            PortProxy->>Backend: Forward Connection
            Note over PortProxy,Backend: Bidirectional Data Flow
        else IP Rejected
            PortProxy->>Client: Close Connection
        end
    end
    loop Connection Active
        PortProxy-->>PortProxy: Monitor Activity
        PortProxy-->>PortProxy: Check Max Lifetime
        alt Inactivity or Max Lifetime Exceeded
            PortProxy->>Client: Close Connection
            PortProxy->>Backend: Close Connection
        end
    end
 ```
 ### Let's Encrypt Certificate Acquisition
 This diagram shows how certificates are automatically acquired through the ACME protocol:
 ```mermaid
 sequenceDiagram
    participant Client
    participant Port80Handler
    participant ACME as Let's Encrypt ACME
    participant NetworkProxy
    Client->>Port80Handler: HTTP Request for domain
    alt Certificate Exists
        Port80Handler->>Client: Redirect to HTTPS
    else No Certificate
        Port80Handler->>Port80Handler: Mark domain as obtaining cert
        Port80Handler->>ACME: Create account & new order
        ACME->>Port80Handler: Challenge information
        Port80Handler->>Port80Handler: Store challenge token & key authorization
        ACME->>Port80Handler: HTTP-01 Challenge Request
        Port80Handler->>ACME: Challenge Response
        ACME->>ACME: Validate domain ownership
        ACME->>Port80Handler: Challenge validated
        Port80Handler->>Port80Handler: Generate CSR
        Port80Handler->>ACME: Submit CSR
        ACME->>Port80Handler: Issue Certificate
        Port80Handler->>Port80Handler: Store certificate & private key
        Port80Handler->>Port80Handler: Mark certificate as obtained
        Note over Port80Handler,NetworkProxy: Certificate available for use
        Client->>Port80Handler: Another HTTP Request
        Port80Handler->>Client: Redirect to HTTPS
        Client->>NetworkProxy: HTTPS Request
        Note over NetworkProxy: Uses new certificate
    end
 ```
 ## Features
 - **HTTPS Reverse Proxy** - Route traffic to backend services based on hostname with TLS termination
 - **WebSocket Support** - Full WebSocket proxying with heartbeat monitoring
 - **TCP Port Forwarding** - Advanced port forwarding with SNI inspection and domain-based routing
 - **Enhanced TLS Handling** - Robust TLS handshake processing with improved certificate error handling
 - **HTTP to HTTPS Redirection** - Automatically redirect HTTP requests to HTTPS
 - **Let's Encrypt Integration** - Automatic certificate management using ACME protocol
 - **IP Filtering** - Control access with IP allow/block lists using glob patterns
 - **IPTables Integration** - Direct manipulation of iptables for low-level port forwarding
 - **Basic Authentication** - Support for basic auth on proxied routes
 - **Connection Management** - Intelligent connection tracking and cleanup with configurable timeouts
 - **Browser Compatibility** - Optimized for modern browsers with fixes for common TLS handshake issues
 ## Installation
 ```bash
 npm install @push.rocks/smartproxy
 ```
 ## Usage
-`@push.rocks/smartproxy` is a versatile package for setting up and handling proxies with various capabilities such as SSL redirection, port proxying, and creating network proxies with complex routing rules. Below is a comprehensive guide on using its features.
+### Basic Reverse Proxy Setup
 ### Setting Up a Network Proxy
 Create a network proxy to route incoming HTTPS requests to different local servers based on the hostname.
 ```typescript
 import { NetworkProxy } from '@push.rocks/smartproxy';
-// Instantiate the NetworkProxy with desired options
+// Create a reverse proxy listening on port 443
-const myNetworkProxy = new NetworkProxy({ port: 443 });
+const proxy = new NetworkProxy({
  port: 443
 });
-// Define your reverse proxy configurations
+// Define reverse proxy configurations
 const proxyConfigs = [
  {
    destinationIp: '127.0.0.1',
    destinationPort: '3000',
    hostName: 'example.com',
-    privateKey: `-----BEGIN PRIVATE KEY-----
+    destinationIp: '127.0.0.1',
-PRIVATE_KEY_CONTENT
+    destinationPort: 3000,
-----END PRIVATE KEY-----`,
+    publicKey: 'your-cert-content',
-    publicKey: `-----BEGIN CERTIFICATE-----
+    privateKey: 'your-key-content'
 CERTIFICATE_CONTENT
 -----END CERTIFICATE-----`,
  },
-  // Add more reverse proxy configurations here
+  {
    hostName: 'api.example.com',
    destinationIp: '127.0.0.1',
    destinationPort: 4000,
    publicKey: 'your-cert-content',
    privateKey: 'your-key-content',
    // Optional basic auth
    authentication: {
      type: 'Basic',
      user: 'admin',
      pass: 'secret'
    }
  }
 ];
-// Start the network proxy
+// Start the proxy and update configurations
-await myNetworkProxy.start();
+(async () => {
  await proxy.start();
  await proxy.updateProxyConfigs(proxyConfigs);
-// Update proxy configurations dynamically
+  // Add default headers to all responses
-await myNetworkProxy.updateProxyConfigs(proxyConfigs);
+  await proxy.addDefaultHeaders({
-
+    'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload'
 // Optionally, add default headers to all responses
 await myNetworkProxy.addDefaultHeaders({
  'X-Powered-By': 'smartproxy',
  });
 })();
 ```
-### Port Proxying
+### HTTP to HTTPS Redirection
 You can also set up a port proxy to forward traffic from one port to another, which is useful for dynamic port forwarding scenarios.
 ```typescript
 import { PortProxy } from '@push.rocks/smartproxy';
 // Create a PortProxy to forward traffic from port 5000 to port 3000
 const myPortProxy = new PortProxy(5000, 3000);
 // Start the port proxy
 await myPortProxy.start();
 // To stop the port proxy, simply call
 await myPortProxy.stop();
 ```
 ### Enabling SSL Redirection
 Easily redirect HTTP traffic to HTTPS using the `SslRedirect` class. This is particularly useful when ensuring all traffic uses encryption.
 ```typescript
 import { SslRedirect } from '@push.rocks/smartproxy';
-// Instantiate the SslRedirect on port 80 (HTTP)
+// Create and start HTTP to HTTPS redirect service on port 80
-const mySslRedirect = new SslRedirect(80);
+const redirector = new SslRedirect(80);
-
+redirector.start();
 // Start listening and redirecting to HTTPS
 await mySslRedirect.start();
 // To stop the redirection, use
 await mySslRedirect.stop();
 ```
-### Advanced Usage
+### TCP Port Forwarding with Domain-based Routing
-The package integrates seamlessly with TypeScript, allowing for advanced use cases, such as implementing custom routing logic, authentication mechanisms, and handling WebSocket connections through the network proxy.
+```typescript
 import { PortProxy } from '@push.rocks/smartproxy';
-For a more advanced setup involving WebSocket proxying and dynamic configuration reloading, refer to the network proxy example provided above. The WebSocket support demonstrates how seamless it is to work with real-time applications.
+// Configure port proxy with domain-based routing
 const portProxy = new PortProxy({
  fromPort: 443,
  toPort: 8443,
  targetIP: 'localhost', // Default target host
  sniEnabled: true,      // Enable SNI inspection
-Remember, when dealing with certificates and private keys for HTTPS configurations, always secure your keys and store them appropriately.
+  // Enhanced reliability settings
  initialDataTimeout: 60000,        // 60 seconds for initial TLS handshake
  socketTimeout: 3600000,           // 1 hour socket timeout
  maxConnectionLifetime: 3600000,   // 1 hour connection lifetime
  inactivityTimeout: 3600000,       // 1 hour inactivity timeout
  maxPendingDataSize: 10 * 1024 * 1024, // 10MB buffer for large TLS handshakes
-`@push.rocks/smartproxy` provides a solid foundation for handling high workloads and complex proxying requirements with ease, whether you're implementing SSL redirections, port forwarding, or extensive routing and WebSocket support in your network.
+  // Browser compatibility enhancement
  enableTlsDebugLogging: false,     // Enable for troubleshooting TLS issues
-For more information on how to use the features, refer to the in-depth documentation available in the package's repository or the npm package description.
+  // Port and IP configuration
  globalPortRanges: [{ from: 443, to: 443 }],
  defaultAllowedIPs: ['*'], // Allow all IPs by default
  // Socket optimizations for better connection stability
  noDelay: true,                    // Disable Nagle's algorithm
  keepAlive: true,                  // Enable TCP keepalive
  enableKeepAliveProbes: true,      // Enhanced keepalive for stability
  // Domain-specific routing configuration
  domainConfigs: [
    {
      domains: ['example.com', '*.example.com'], // Glob patterns for matching domains
      allowedIPs: ['192.168.1.*'],               // Restrict access by IP
      blockedIPs: ['192.168.1.100'],             // Block specific IPs
      targetIPs: ['10.0.0.1', '10.0.0.2'],       // Round-robin between multiple targets
      portRanges: [{ from: 443, to: 443 }],
      connectionTimeout: 7200000                 // Domain-specific timeout (2 hours)
    }
  ],
  preserveSourceIP: true
 });
 portProxy.start();
 ```
 ### IPTables Port Forwarding
 ```typescript
 import { IPTablesProxy } from '@push.rocks/smartproxy';
 // Configure IPTables to forward from port 80 to 8080
 const iptables = new IPTablesProxy({
  fromPort: 80,
  toPort: 8080,
  toHost: 'localhost',
  preserveSourceIP: true,
  deleteOnExit: true  // Automatically clean up rules on process exit
 });
 iptables.start();
 ```
 ### Automatic HTTPS Certificate Management
 ```typescript
 import { Port80Handler } from '@push.rocks/smartproxy';
 // Create an ACME handler for Let's Encrypt
 const acmeHandler = new Port80Handler();
 // Add domains to manage certificates for
 acmeHandler.addDomain('example.com');
 acmeHandler.addDomain('api.example.com');
 ```
 ## Configuration Options
 ### NetworkProxy Options
 | Option         | Description                                       | Default |
 |----------------|---------------------------------------------------|---------|
 | `port`         | Port to listen on for HTTPS connections           | -       |
 ### PortProxy Settings
 | Option                    | Description                                            | Default     |
 |---------------------------|--------------------------------------------------------|-------------|
 | `fromPort`                | Port to listen on                                      | -           |
 | `toPort`                  | Destination port to forward to                         | -           |
 | `targetIP`                | Default destination IP if not specified in domainConfig | 'localhost' |
 | `sniEnabled`              | Enable SNI inspection for TLS connections              | false       |
 | `defaultAllowedIPs`       | IP patterns allowed by default                         | -           |
 | `defaultBlockedIPs`       | IP patterns blocked by default                         | -           |
 | `preserveSourceIP`        | Preserve the original client IP                        | false       |
 | `maxConnectionLifetime`   | Maximum time in ms to keep a connection open           | 3600000     |
 | `initialDataTimeout`      | Timeout for initial data/handshake in ms               | 60000       |
 | `socketTimeout`           | Socket inactivity timeout in ms                        | 3600000     |
 | `inactivityTimeout`       | Connection inactivity check timeout in ms              | 3600000     |
 | `inactivityCheckInterval` | How often to check for inactive connections in ms      | 60000       |
 | `maxPendingDataSize`      | Maximum bytes to buffer during connection setup        | 10485760    |
 | `globalPortRanges`        | Array of port ranges to listen on                      | -           |
 | `forwardAllGlobalRanges`  | Forward all global range connections to targetIP       | false       |
 | `gracefulShutdownTimeout` | Time in ms to wait during shutdown                     | 30000       |
 | `noDelay`                 | Disable Nagle's algorithm                              | true        |
 | `keepAlive`               | Enable TCP keepalive                                   | true        |
 | `keepAliveInitialDelay`   | Initial delay before sending keepalive probes in ms    | 30000       |
 | `enableKeepAliveProbes`   | Enable enhanced TCP keep-alive probes                  | false       |
 | `enableTlsDebugLogging`   | Enable detailed TLS handshake debugging                | false       |
 | `enableDetailedLogging`   | Enable detailed connection logging                     | false       |
 | `enableRandomizedTimeouts`| Randomize timeouts slightly to prevent thundering herd | true        |
 ### IPTablesProxy Settings
 | Option            | Description                                 | Default     |
 |-------------------|---------------------------------------------|-------------|
 | `fromPort`        | Source port to forward from                 | -           |
 | `toPort`          | Destination port to forward to              | -           |
 | `toHost`          | Destination host to forward to              | 'localhost' |
 | `preserveSourceIP`| Preserve the original client IP             | false       |
 | `deleteOnExit`    | Remove iptables rules when process exits    | false       |
 ## Advanced Features
 ### TLS Handshake Optimization
 The enhanced `PortProxy` implementation includes significant improvements for TLS handshake handling:
 - Robust SNI extraction with improved error handling
 - Increased buffer size for complex TLS handshakes (10MB)
 - Longer initial handshake timeout (60 seconds)
 - Detection and tracking of TLS connection states
 - Optional detailed TLS debug logging for troubleshooting
 - Browser compatibility fixes for Chrome certificate errors
 ```typescript
 // Example configuration to solve Chrome certificate errors
 const portProxy = new PortProxy({
  // ... other settings
  initialDataTimeout: 60000,            // Give browser more time for handshake
  maxPendingDataSize: 10 * 1024 * 1024, // Larger buffer for complex handshakes
  enableTlsDebugLogging: true,          // Enable when troubleshooting
 });
 ```
 ### Connection Management and Monitoring
 The `PortProxy` class includes built-in connection tracking and monitoring:
 - Automatic cleanup of idle connections with configurable timeouts
 - Timeouts for connections that exceed maximum lifetime
 - Detailed logging of connection states
 - Termination statistics
 - Randomized timeouts to prevent "thundering herd" problems
 - Per-domain timeout configuration
 ### WebSocket Support
 The `NetworkProxy` class provides WebSocket support with:
 - WebSocket connection proxying
 - Automatic heartbeat monitoring
 - Connection cleanup for inactive WebSockets
 ### SNI-based Routing
 The `PortProxy` class can inspect the SNI (Server Name Indication) field in TLS handshakes to route connections based on the requested domain:
 - Multiple backend targets per domain
 - Round-robin load balancing
 - Domain-specific allowed IP ranges
 - Protection against SNI renegotiation attacks
 ## Troubleshooting
 ### Browser Certificate Errors
 If you experience certificate errors in browsers, especially in Chrome, try these solutions:
 1. **Increase Initial Data Timeout**: Set `initialDataTimeout` to 60 seconds or higher
 2. **Increase Buffer Size**: Set `maxPendingDataSize` to 10MB or higher
 3. **Enable TLS Debug Logging**: Set `enableTlsDebugLogging: true` to troubleshoot handshake issues
 4. **Enable Keep-Alive Probes**: Set `enableKeepAliveProbes: true` for better connection stability
 5. **Check Certificate Chain**: Ensure your certificate chain is complete and in the correct order
 ```typescript
 // Configuration to fix Chrome certificate errors
 const portProxy = new PortProxy({
  // ... other settings
  initialDataTimeout: 60000,
  maxPendingDataSize: 10 * 1024 * 1024,
  enableTlsDebugLogging: true,
  enableKeepAliveProbes: true
 });
 ```
 ### Connection Stability
 For improved connection stability in high-traffic environments:
 1. **Set Appropriate Timeouts**: Use longer timeouts for long-lived connections
 2. **Use Domain-Specific Timeouts**: Configure per-domain timeouts for different types of services
 3. **Enable TCP Keep-Alive**: Ensure `keepAlive` is set to `true`
 4. **Monitor Connection Statistics**: Enable detailed logging to track termination reasons
 5. **Fine-tune Inactivity Checks**: Adjust `inactivityCheckInterval` based on your traffic patterns
 ## License and Legal Information
--- a/test/test.portproxy.ts
+++ b/test/test.portproxy.ts
@ -1,6 +1,6 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import * as net from 'net';
-import { PortProxy } from '../ts/smartproxy.portproxy.js';
+import { PortProxy } from '../ts/classes.portproxy.js';
 let testServer: net.Server;
 let portProxy: PortProxy;
@ -8,112 +8,335 @@ const TEST_SERVER_PORT = 4000;
 const PROXY_PORT = 4001;
 const TEST_DATA = 'Hello through port proxy!';
-// Helper function to create a test TCP server
+// Track all created servers and proxies for proper cleanup
-function createTestServer(port: number): Promise<net.Server> {
+const allServers: net.Server[] = [];
 const allProxies: PortProxy[] = [];
 // Helper: Creates a test TCP server that listens on a given port and host.
 function createTestServer(port: number, host: string = 'localhost'): Promise<net.Server> {
  return new Promise((resolve) => {
    const server = net.createServer((socket) => {
      socket.on('data', (data) => {
-        // Echo the received data back
+        // Echo the received data back with a prefix.
        socket.write(`Echo: ${data.toString()}`);
      });
      socket.on('error', (error) => {
-        console.error('[Test Server] Socket error:', error);
+        console.error(`[Test Server] Socket error on ${host}:${port}:`, error);
      });
    });
-
+    server.listen(port, host, () => {
-    server.listen(port, () => {
+      console.log(`[Test Server] Listening on ${host}:${port}`);
-      console.log(`[Test Server] Listening on port ${port}`);
+      allServers.push(server); // Track this server
      resolve(server);
    });
  });
 }
-// Helper function to create a test client connection
+// Helper: Creates a test client connection.
 function createTestClient(port: number, data: string): Promise<string> {
  return new Promise((resolve, reject) => {
    const client = new net.Socket();
    let response = '';
    const timeout = setTimeout(() => {
      client.destroy();
      reject(new Error(`Client connection timeout to port ${port}`));
    }, 5000);
    client.connect(port, 'localhost', () => {
      console.log('[Test Client] Connected to server');
      client.write(data);
    });
    client.on('data', (chunk) => {
      response += chunk.toString();
      client.end();
    });
    client.on('end', () => {
      clearTimeout(timeout);
      resolve(response);
    });
    client.on('error', (error) => {
      clearTimeout(timeout);
      reject(error);
    });
  });
 }
-// Setup test environment
+// SETUP: Create a test server and a PortProxy instance.
 tap.test('setup port proxy test environment', async () => {
  testServer = await createTestServer(TEST_SERVER_PORT);
-  portProxy = new PortProxy(PROXY_PORT, TEST_SERVER_PORT);
+  portProxy = new PortProxy({
    fromPort: PROXY_PORT,
    toPort: TEST_SERVER_PORT,
    targetIP: 'localhost',
    domainConfigs: [],
    sniEnabled: false,
    defaultAllowedIPs: ['127.0.0.1'],
    globalPortRanges: []
  });
  allProxies.push(portProxy); // Track this proxy
 });
 // Test that the proxy starts and its servers are listening.
 tap.test('should start port proxy', async () => {
  await portProxy.start();
-  expect(portProxy.netServer.listening).toBeTrue();
+  expect((portProxy as any).netServers.every((server: net.Server) => server.listening)).toBeTrue();
 });
-tap.test('should forward TCP connections and data', async () => {
+// Test basic TCP forwarding.
 tap.test('should forward TCP connections and data to localhost', async () => {
  const response = await createTestClient(PROXY_PORT, TEST_DATA);
  expect(response).toEqual(`Echo: ${TEST_DATA}`);
 });
 // Test proxy with a custom target host.
 tap.test('should forward TCP connections to custom host', async () => {
  const customHostProxy = new PortProxy({
    fromPort: PROXY_PORT + 1,
    toPort: TEST_SERVER_PORT,
    targetIP: '127.0.0.1',
    domainConfigs: [],
    sniEnabled: false,
    defaultAllowedIPs: ['127.0.0.1'],
    globalPortRanges: []
  });
  allProxies.push(customHostProxy); // Track this proxy
  await customHostProxy.start();
  const response = await createTestClient(PROXY_PORT + 1, TEST_DATA);
  expect(response).toEqual(`Echo: ${TEST_DATA}`);
  await customHostProxy.stop();
  // Remove from tracking after stopping
  const index = allProxies.indexOf(customHostProxy);
  if (index !== -1) allProxies.splice(index, 1);
 });
 // Test custom IP forwarding
 // SIMPLIFIED: This version avoids port ranges and domain configs to prevent loops
 tap.test('should forward connections to custom IP', async () => {
  // Set up ports that are FAR apart to avoid any possible confusion
  const forcedProxyPort = PROXY_PORT + 2;  // 4003 - The port that our proxy listens on
  const targetServerPort = TEST_SERVER_PORT + 200;  // 4200 - Target test server on another IP
  // Create a test server listening on 127.0.0.2:4200
  const testServer2 = await createTestServer(targetServerPort, '127.0.0.2');
  // Simplify the test drastically - use ONE proxy with very explicit configuration
  const domainProxy = new PortProxy({
    fromPort: forcedProxyPort,  // 4003 - Listen on this port
    toPort: targetServerPort,   // 4200 - Default forwarding port - MUST BE DIFFERENT from fromPort
    targetIP: '127.0.0.2',      // Forward to IP where test server is
    domainConfigs: [],          // No domain configs to confuse things
    sniEnabled: false,
    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'], // Allow localhost
    // We'll test the functionality WITHOUT port ranges this time
    globalPortRanges: []
  });
  allProxies.push(domainProxy); // Track this proxy
  await domainProxy.start();
  // Send a single test connection
  const response = await createTestClient(forcedProxyPort, TEST_DATA);
  expect(response).toEqual(`Echo: ${TEST_DATA}`);
  await domainProxy.stop();
  // Remove from tracking after stopping
  const proxyIndex = allProxies.indexOf(domainProxy);
  if (proxyIndex !== -1) allProxies.splice(proxyIndex, 1);
  // Close the test server
  await new Promise<void>((resolve) => testServer2.close(() => resolve()));
  // Remove from tracking
  const serverIndex = allServers.indexOf(testServer2);
  if (serverIndex !== -1) allServers.splice(serverIndex, 1);
 });
 // Test handling of multiple concurrent connections.
 tap.test('should handle multiple concurrent connections', async () => {
  const concurrentRequests = 5;
  const requests = Array(concurrentRequests).fill(null).map((_, i) =>
    createTestClient(PROXY_PORT, `${TEST_DATA} ${i + 1}`)
  );
  const responses = await Promise.all(requests);
  responses.forEach((response, i) => {
    expect(response).toEqual(`Echo: ${TEST_DATA} ${i + 1}`);
  });
 });
 // Test connection timeout handling.
 tap.test('should handle connection timeouts', async () => {
  const client = new net.Socket();
  await new Promise<void>((resolve) => {
    // Add a timeout to ensure we don't hang here
    const timeout = setTimeout(() => {
      client.destroy();
      resolve();
    }, 3000);
    client.connect(PROXY_PORT, 'localhost', () => {
-      // Don't send any data, just wait for timeout
+      // Do not send any data to trigger a timeout.
      client.on('close', () => {
        clearTimeout(timeout);
        resolve();
      });
    });
    client.on('error', () => {
      clearTimeout(timeout);
      client.destroy();
      resolve();
    });
  });
 });
 });
 // Test stopping the port proxy.
 tap.test('should stop port proxy', async () => {
  await portProxy.stop();
-  expect(portProxy.netServer.listening).toBeFalse();
+  expect((portProxy as any).netServers.every((server: net.Server) => !server.listening)).toBeTrue();
  // Remove from tracking
  const index = allProxies.indexOf(portProxy);
  if (index !== -1) allProxies.splice(index, 1);
 });
-// Cleanup
+// Test chained proxies with and without source IP preservation.
 tap.test('should support optional source IP preservation in chained proxies', async () => {
  // Chained proxies without IP preservation.
  const firstProxyDefault = new PortProxy({
    fromPort: PROXY_PORT + 4,
    toPort: PROXY_PORT + 5,
    targetIP: 'localhost',
    domainConfigs: [],
    sniEnabled: false,
    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'],
    globalPortRanges: []
  });
  const secondProxyDefault = new PortProxy({
    fromPort: PROXY_PORT + 5,
    toPort: TEST_SERVER_PORT,
    targetIP: 'localhost',
    domainConfigs: [],
    sniEnabled: false,
    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'],
    globalPortRanges: []
  });
  allProxies.push(firstProxyDefault, secondProxyDefault); // Track these proxies
  await secondProxyDefault.start();
  await firstProxyDefault.start();
  const response1 = await createTestClient(PROXY_PORT + 4, TEST_DATA);
  expect(response1).toEqual(`Echo: ${TEST_DATA}`);
  await firstProxyDefault.stop();
  await secondProxyDefault.stop();
  // Remove from tracking
  const index1 = allProxies.indexOf(firstProxyDefault);
  if (index1 !== -1) allProxies.splice(index1, 1);
  const index2 = allProxies.indexOf(secondProxyDefault);
  if (index2 !== -1) allProxies.splice(index2, 1);
  // Chained proxies with IP preservation.
  const firstProxyPreserved = new PortProxy({
    fromPort: PROXY_PORT + 6,
    toPort: PROXY_PORT + 7,
    targetIP: 'localhost',
    domainConfigs: [],
    sniEnabled: false,
    defaultAllowedIPs: ['127.0.0.1'],
    preserveSourceIP: true,
    globalPortRanges: []
  });
  const secondProxyPreserved = new PortProxy({
    fromPort: PROXY_PORT + 7,
    toPort: TEST_SERVER_PORT,
    targetIP: 'localhost',
    domainConfigs: [],
    sniEnabled: false,
    defaultAllowedIPs: ['127.0.0.1'],
    preserveSourceIP: true,
    globalPortRanges: []
  });
  allProxies.push(firstProxyPreserved, secondProxyPreserved); // Track these proxies
  await secondProxyPreserved.start();
  await firstProxyPreserved.start();
  const response2 = await createTestClient(PROXY_PORT + 6, TEST_DATA);
  expect(response2).toEqual(`Echo: ${TEST_DATA}`);
  await firstProxyPreserved.stop();
  await secondProxyPreserved.stop();
  // Remove from tracking
  const index3 = allProxies.indexOf(firstProxyPreserved);
  if (index3 !== -1) allProxies.splice(index3, 1);
  const index4 = allProxies.indexOf(secondProxyPreserved);
  if (index4 !== -1) allProxies.splice(index4, 1);
 });
 // Test round-robin behavior for multiple target IPs in a domain config.
 tap.test('should use round robin for multiple target IPs in domain config', async () => {
  const domainConfig = {
    domains: ['rr.test'],
    allowedIPs: ['127.0.0.1'],
    targetIPs: ['hostA', 'hostB']
  } as any;
  const proxyInstance = new PortProxy({
    fromPort: 0,
    toPort: 0,
    targetIP: 'localhost',
    domainConfigs: [domainConfig],
    sniEnabled: false,
    defaultAllowedIPs: [],
    globalPortRanges: []
  });
  // Don't track this proxy as it doesn't actually start or listen
  const firstTarget = (proxyInstance as any).getTargetIP(domainConfig);
  const secondTarget = (proxyInstance as any).getTargetIP(domainConfig);
  expect(firstTarget).toEqual('hostA');
  expect(secondTarget).toEqual('hostB');
 });
 // CLEANUP: Tear down all servers and proxies
 tap.test('cleanup port proxy test environment', async () => {
-  await new Promise<void>((resolve) => testServer.close(() => resolve()));
+  // Stop all remaining proxies
-});
+  for (const proxy of [...allProxies]) {
    try {
      await proxy.stop();
      const index = allProxies.indexOf(proxy);
      if (index !== -1) allProxies.splice(index, 1);
    } catch (err) {
      console.error(`Error stopping proxy: ${err}`);
    }
  }
-process.on('exit', () => {
+  // Close all remaining servers
-  if (testServer) {
+  for (const server of [...allServers]) {
-    testServer.close();
+    try {
      await new Promise<void>((resolve) => {
        if (server.listening) {
          server.close(() => resolve());
        } else {
          resolve();
        }
-  if (portProxy && portProxy.netServer) {
+      });
-    portProxy.stop();
+      const index = allServers.indexOf(server);
      if (index !== -1) allServers.splice(index, 1);
    } catch (err) {
      console.error(`Error closing server: ${err}`);
    }
  }
  // Verify all resources are cleaned up
  expect(allProxies.length).toEqual(0);
  expect(allServers.length).toEqual(0);
 });
 export default tap.start();
--- a/test/test.router.ts
+++ b/test/test.router.ts
@ -0,0 +1,346 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import * as tsclass from '@tsclass/tsclass';
 import * as http from 'http';
 import { ProxyRouter, type IRouterResult } from '../ts/classes.router.js';
 // Test proxies and configurations
 let router: ProxyRouter;
 // Sample hostname for testing
 const TEST_DOMAIN = 'example.com';
 const TEST_SUBDOMAIN = 'api.example.com';
 const TEST_WILDCARD = '*.example.com';
 // Helper: Creates a mock HTTP request for testing
 function createMockRequest(host: string, url: string = '/'): http.IncomingMessage {
  const req = {
    headers: { host },
    url,
    socket: {
      remoteAddress: '127.0.0.1'
    }
  } as any;
  return req;
 }
 // Helper: Creates a test proxy configuration
 function createProxyConfig(
  hostname: string, 
  destinationIp: string = '10.0.0.1',
  destinationPort: number = 8080
 ): tsclass.network.IReverseProxyConfig {
  return {
    hostName: hostname,
    destinationIp,
    destinationPort: destinationPort.toString(), // Convert to string for IReverseProxyConfig
    publicKey: 'mock-cert',
    privateKey: 'mock-key'
  } as tsclass.network.IReverseProxyConfig;
 }
 // SETUP: Create a ProxyRouter instance
 tap.test('setup proxy router test environment', async () => {
  router = new ProxyRouter();
  // Initialize with empty config
  router.setNewProxyConfigs([]);
 });
 // Test basic routing by hostname
 tap.test('should route requests by hostname', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  const req = createMockRequest(TEST_DOMAIN);
  const result = router.routeReq(req);
  expect(result).toBeTruthy();
  expect(result).toEqual(config);
 });
 // Test handling of hostname with port number
 tap.test('should handle hostname with port number', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  const req = createMockRequest(`${TEST_DOMAIN}:443`);
  const result = router.routeReq(req);
  expect(result).toBeTruthy();
  expect(result).toEqual(config);
 });
 // Test case-insensitive hostname matching
 tap.test('should perform case-insensitive hostname matching', async () => {
  const config = createProxyConfig(TEST_DOMAIN.toLowerCase());
  router.setNewProxyConfigs([config]);
  const req = createMockRequest(TEST_DOMAIN.toUpperCase());
  const result = router.routeReq(req);
  expect(result).toBeTruthy();
  expect(result).toEqual(config);
 });
 // Test handling of unmatched hostnames
 tap.test('should return undefined for unmatched hostnames', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  const req = createMockRequest('unknown.domain.com');
  const result = router.routeReq(req);
  expect(result).toBeUndefined();
 });
 // Test adding path patterns
 tap.test('should match requests using path patterns', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  // Add a path pattern to the config
  router.setPathPattern(config, '/api/users');
  // Test that path matches
  const req1 = createMockRequest(TEST_DOMAIN, '/api/users');
  const result1 = router.routeReqWithDetails(req1);
  expect(result1).toBeTruthy();
  expect(result1.config).toEqual(config);
  expect(result1.pathMatch).toEqual('/api/users');
  // Test that non-matching path doesn't match
  const req2 = createMockRequest(TEST_DOMAIN, '/web/users');
  const result2 = router.routeReqWithDetails(req2);
  expect(result2).toBeUndefined();
 });
 // Test handling wildcard patterns
 tap.test('should support wildcard path patterns', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  router.setPathPattern(config, '/api/*');
  // Test with path that matches the wildcard pattern
  const req = createMockRequest(TEST_DOMAIN, '/api/users/123');
  const result = router.routeReqWithDetails(req);
  expect(result).toBeTruthy();
  expect(result.config).toEqual(config);
  expect(result.pathMatch).toEqual('/api');
  // Print the actual value to diagnose issues
  console.log('Path remainder value:', result.pathRemainder);
  expect(result.pathRemainder).toBeTruthy();
  expect(result.pathRemainder).toEqual('/users/123');
 });
 // Test extracting path parameters
 tap.test('should extract path parameters from URL', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  router.setPathPattern(config, '/users/:id/profile');
  const req = createMockRequest(TEST_DOMAIN, '/users/123/profile');
  const result = router.routeReqWithDetails(req);
  expect(result).toBeTruthy();
  expect(result.config).toEqual(config);
  expect(result.pathParams).toBeTruthy();
  expect(result.pathParams.id).toEqual('123');
 });
 // Test multiple configs for same hostname with different paths
 tap.test('should support multiple configs for same hostname with different paths', async () => {
  const apiConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.1', 8001);
  const webConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.2', 8002);
  // Add both configs
  router.setNewProxyConfigs([apiConfig, webConfig]);
  // Set different path patterns
  router.setPathPattern(apiConfig, '/api');
  router.setPathPattern(webConfig, '/web');
  // Test API path routes to API config
  const apiReq = createMockRequest(TEST_DOMAIN, '/api/users');
  const apiResult = router.routeReq(apiReq);
  expect(apiResult).toEqual(apiConfig);
  // Test web path routes to web config
  const webReq = createMockRequest(TEST_DOMAIN, '/web/dashboard');
  const webResult = router.routeReq(webReq);
  expect(webResult).toEqual(webConfig);
  // Test unknown path returns undefined
  const unknownReq = createMockRequest(TEST_DOMAIN, '/unknown');
  const unknownResult = router.routeReq(unknownReq);
  expect(unknownResult).toBeUndefined();
 });
 // Test wildcard subdomains
 tap.test('should match wildcard subdomains', async () => {
  const wildcardConfig = createProxyConfig(TEST_WILDCARD);
  router.setNewProxyConfigs([wildcardConfig]);
  // Test that subdomain.example.com matches *.example.com
  const req = createMockRequest('subdomain.example.com');
  const result = router.routeReq(req);
  expect(result).toBeTruthy();
  expect(result).toEqual(wildcardConfig);
 });
 // Test default configuration fallback
 tap.test('should fall back to default configuration', async () => {
  const defaultConfig = createProxyConfig('*');
  const specificConfig = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([defaultConfig, specificConfig]);
  // Test specific domain routes to specific config
  const specificReq = createMockRequest(TEST_DOMAIN);
  const specificResult = router.routeReq(specificReq);
  expect(specificResult).toEqual(specificConfig);
  // Test unknown domain falls back to default config
  const unknownReq = createMockRequest('unknown.com');
  const unknownResult = router.routeReq(unknownReq);
  expect(unknownResult).toEqual(defaultConfig);
 });
 // Test priority between exact and wildcard matches
 tap.test('should prioritize exact hostname over wildcard', async () => {
  const wildcardConfig = createProxyConfig(TEST_WILDCARD);
  const exactConfig = createProxyConfig(TEST_SUBDOMAIN);
  router.setNewProxyConfigs([wildcardConfig, exactConfig]);
  // Test that exact match takes priority
  const req = createMockRequest(TEST_SUBDOMAIN);
  const result = router.routeReq(req);
  expect(result).toEqual(exactConfig);
 });
 // Test adding and removing configurations
 tap.test('should manage configurations correctly', async () => {
  router.setNewProxyConfigs([]);
  // Add a config
  const config = createProxyConfig(TEST_DOMAIN);
  router.addProxyConfig(config);
  // Verify routing works
  const req = createMockRequest(TEST_DOMAIN);
  let result = router.routeReq(req);
  expect(result).toEqual(config);
  // Remove the config and verify it no longer routes
  const removed = router.removeProxyConfig(TEST_DOMAIN);
  expect(removed).toBeTrue();
  result = router.routeReq(req);
  expect(result).toBeUndefined();
 });
 // Test path pattern specificity
 tap.test('should prioritize more specific path patterns', async () => {
  const genericConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.1', 8001);
  const specificConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.2', 8002);
  router.setNewProxyConfigs([genericConfig, specificConfig]);
  router.setPathPattern(genericConfig, '/api/*');
  router.setPathPattern(specificConfig, '/api/users');
  // The more specific '/api/users' should match before the '/api/*' wildcard
  const req = createMockRequest(TEST_DOMAIN, '/api/users');
  const result = router.routeReq(req);
  expect(result).toEqual(specificConfig);
 });
 // Test getHostnames method
 tap.test('should retrieve all configured hostnames', async () => {
  router.setNewProxyConfigs([
    createProxyConfig(TEST_DOMAIN),
    createProxyConfig(TEST_SUBDOMAIN)
  ]);
  const hostnames = router.getHostnames();
  expect(hostnames.length).toEqual(2);
  expect(hostnames).toContain(TEST_DOMAIN.toLowerCase());
  expect(hostnames).toContain(TEST_SUBDOMAIN.toLowerCase());
 });
 // Test handling missing host header
 tap.test('should handle missing host header', async () => {
  const defaultConfig = createProxyConfig('*');
  router.setNewProxyConfigs([defaultConfig]);
  const req = createMockRequest('');
  req.headers.host = undefined;
  const result = router.routeReq(req);
  expect(result).toEqual(defaultConfig);
 });
 // Test complex path parameters
 tap.test('should handle complex path parameters', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  router.setPathPattern(config, '/api/:version/users/:userId/posts/:postId');
  const req = createMockRequest(TEST_DOMAIN, '/api/v1/users/123/posts/456');
  const result = router.routeReqWithDetails(req);
  expect(result).toBeTruthy();
  expect(result.config).toEqual(config);
  expect(result.pathParams).toBeTruthy();
  expect(result.pathParams.version).toEqual('v1');
  expect(result.pathParams.userId).toEqual('123');
  expect(result.pathParams.postId).toEqual('456');
 });
 // Performance test
 tap.test('should handle many configurations efficiently', async () => {
  const configs = [];
  // Create many configs with different hostnames
  for (let i = 0; i < 100; i++) {
    configs.push(createProxyConfig(`host-${i}.example.com`));
  }
  router.setNewProxyConfigs(configs);
  // Test middle of the list to avoid best/worst case
  const req = createMockRequest('host-50.example.com');
  const result = router.routeReq(req);
  expect(result).toEqual(configs[50]);
 });
 // Test cleanup
 tap.test('cleanup proxy router test environment', async () => {
  // Clear all configurations
  router.setNewProxyConfigs([]);
  // Verify empty state
  expect(router.getHostnames().length).toEqual(0);
  expect(router.getProxyConfigs().length).toEqual(0);
 });
 export default tap.start();
--- a/test/test.ts
+++ b/test/test.ts
@ -184,12 +184,32 @@ tap.test('setup test environment', async () => {
 });
 tap.test('should create proxy instance', async () => {
  // Test with the original minimal options (only port)
  testProxy = new smartproxy.NetworkProxy({
    port: 3001,
  });
  expect(testProxy).toEqual(testProxy); // Instance equality check
 });
 tap.test('should create proxy instance with extended options', async () => {
  // Test with extended options to verify backward compatibility
  testProxy = new smartproxy.NetworkProxy({
    port: 3001,
    maxConnections: 5000,
    keepAliveTimeout: 120000,
    headersTimeout: 60000,
    logLevel: 'info',
    cors: {
      allowOrigin: '*',
      allowMethods: 'GET, POST, OPTIONS',
      allowHeaders: 'Content-Type',
      maxAge: 3600
    }
  });
  expect(testProxy).toEqual(testProxy); // Instance equality check
  expect(testProxy.options.port).toEqual(3001);
 });
 tap.test('should start the proxy server', async () => {
  // Ensure any previous server is closed
  if (testProxy && testProxy.httpsServer) {
@ -249,7 +269,6 @@ tap.test('should handle unknown host headers', async () => {
  // Expect a 404 response with the appropriate error message.
  expect(response.statusCode).toEqual(404);
  expect(response.body).toEqual('This route is not available on this server.');
 });
 tap.test('should support WebSocket connections', async () => {
@ -382,6 +401,78 @@ tap.test('should handle custom headers', async () => {
  expect(response.headers['x-proxy-header']).toEqual('test-value');
 });
 tap.test('should handle CORS preflight requests', async () => {
  // Instead of creating a new proxy instance, let's update the options on the current one
  // First ensure the existing proxy is working correctly
  const initialResponse = await makeHttpsRequest({
    hostname: 'localhost',
    port: 3001,
    path: '/',
    method: 'GET',
    headers: { host: 'push.rocks' },
    rejectUnauthorized: false,
  });
  expect(initialResponse.statusCode).toEqual(200);
  // Add CORS headers to the existing proxy
  await testProxy.addDefaultHeaders({
    'Access-Control-Allow-Origin': '*',
    'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
    'Access-Control-Allow-Headers': 'Content-Type, Authorization',
    'Access-Control-Max-Age': '86400'
  });
  // Allow server to process the header changes
  await new Promise(resolve => setTimeout(resolve, 100));
  // Send OPTIONS request to simulate CORS preflight
  const response = await makeHttpsRequest({
    hostname: 'localhost',
    port: 3001,
    path: '/',
    method: 'OPTIONS',
    headers: {
      host: 'push.rocks',
      'Access-Control-Request-Method': 'POST',
      'Access-Control-Request-Headers': 'Content-Type',
      'Origin': 'https://example.com'
    },
    rejectUnauthorized: false,
  });
  // Verify the response has expected status code
  expect(response.statusCode).toEqual(204);
 });
 tap.test('should track connections and metrics', async () => {
  // Instead of creating a new proxy instance, let's just make requests to the existing one
  // and verify the metrics are being tracked
  // Get initial metrics counts
  const initialRequestsServed = testProxy.requestsServed || 0;
  // Make a few requests to ensure we have metrics to check
  for (let i = 0; i < 3; i++) {
    await makeHttpsRequest({
      hostname: 'localhost',
      port: 3001,
      path: '/metrics-test-' + i,
      method: 'GET',
      headers: { host: 'push.rocks' },
      rejectUnauthorized: false,
    });
  }
  // Wait a bit to let metrics update
  await new Promise(resolve => setTimeout(resolve, 100));
  // Verify metrics tracking is working - should have at least 3 more requests than before
  expect(testProxy.connectedClients).toBeDefined();
  expect(typeof testProxy.requestsServed).toEqual('number');
  expect(testProxy.requestsServed).toBeGreaterThan(initialRequestsServed + 2);
 });
 tap.test('cleanup', async () => {
  console.log('[TEST] Starting cleanup');
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '3.2.0',
+  version: '3.29.0',
-  description: 'a proxy for handling high workloads of proxying'
+  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }
--- a/ts/classes.iptablesproxy.ts
+++ b/ts/classes.iptablesproxy.ts
@ -0,0 +1,901 @@
 import { exec, execSync } from 'child_process';
 import { promisify } from 'util';
 const execAsync = promisify(exec);
 /**
 * Represents a port range for forwarding
 */
 export interface IPortRange {
  from: number;
  to: number;
 }
 /**
 * Settings for IPTablesProxy.
 */
 export interface IIpTableProxySettings {
  // Basic settings
  fromPort: number | IPortRange | Array<number | IPortRange>; // Support single port, port range, or multiple ports/ranges
  toPort: number | IPortRange | Array<number | IPortRange>;
  toHost?: string; // Target host for proxying; defaults to 'localhost'
  // Advanced settings
  preserveSourceIP?: boolean; // If true, the original source IP is preserved
  deleteOnExit?: boolean;     // If true, clean up marked iptables rules before process exit
  protocol?: 'tcp' | 'udp' | 'all'; // Protocol to forward, defaults to 'tcp'
  enableLogging?: boolean;    // Enable detailed logging
  ipv6Support?: boolean;      // Enable IPv6 support (ip6tables)
  // Source filtering
  allowedSourceIPs?: string[]; // If provided, only these IPs are allowed
  bannedSourceIPs?: string[];  // If provided, these IPs are blocked
  // Rule management
  forceCleanSlate?: boolean;   // Clear all IPTablesProxy rules before starting
  addJumpRule?: boolean;       // Add a custom chain for cleaner rule management
  checkExistingRules?: boolean; // Check if rules already exist before adding
  // Integration with PortProxy/NetworkProxy
  netProxyIntegration?: {
    enabled: boolean;
    redirectLocalhost?: boolean; // Redirect localhost traffic to NetworkProxy
    sslTerminationPort?: number; // Port where NetworkProxy handles SSL termination
  };
 }
 /**
 * Represents a rule added to iptables
 */
 interface IpTablesRule {
  table: string;
  chain: string;
  command: string;
  tag: string;
  added: boolean;
 }
 /**
 * IPTablesProxy sets up iptables NAT rules to forward TCP traffic.
 * Enhanced with multi-port support, IPv6, and integration with PortProxy/NetworkProxy.
 */
 export class IPTablesProxy {
  public settings: IIpTableProxySettings;
  private rules: IpTablesRule[] = [];
  private ruleTag: string;
  private customChain: string | null = null;
  constructor(settings: IIpTableProxySettings) {
    // Validate inputs to prevent command injection
    this.validateSettings(settings);
    // Set default settings
    this.settings = {
      ...settings,
      toHost: settings.toHost || 'localhost',
      protocol: settings.protocol || 'tcp',
      enableLogging: settings.enableLogging !== undefined ? settings.enableLogging : false,
      ipv6Support: settings.ipv6Support !== undefined ? settings.ipv6Support : false,
      checkExistingRules: settings.checkExistingRules !== undefined ? settings.checkExistingRules : true,
      netProxyIntegration: settings.netProxyIntegration || { enabled: false }
    };
    // Generate a unique identifier for the rules added by this instance
    this.ruleTag = `IPTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`;
    if (this.settings.addJumpRule) {
      this.customChain = `IPTablesProxy_${Math.random().toString(36).substr(2, 5)}`;
    }
    // Register cleanup handlers if deleteOnExit is true
    if (this.settings.deleteOnExit) {
      const cleanup = () => {
        try {
          this.stopSync();
        } catch (err) {
          console.error('Error cleaning iptables rules on exit:', err);
        }
      };
      process.on('exit', cleanup);
      process.on('SIGINT', () => {
        cleanup();
        process.exit();
      });
      process.on('SIGTERM', () => {
        cleanup();
        process.exit();
      });
    }
  }
  /**
   * Validates settings to prevent command injection and ensure valid values
   */
  private validateSettings(settings: IIpTableProxySettings): void {
    // Validate port numbers
    const validatePorts = (port: number | IPortRange | Array<number | IPortRange>) => {
      if (Array.isArray(port)) {
        port.forEach(p => validatePorts(p));
        return;
      }
      if (typeof port === 'number') {
        if (port < 1 || port > 65535) {
          throw new Error(`Invalid port number: ${port}`);
        }
      } else if (typeof port === 'object') {
        if (port.from < 1 || port.from > 65535 || port.to < 1 || port.to > 65535 || port.from > port.to) {
          throw new Error(`Invalid port range: ${port.from}-${port.to}`);
        }
      }
    };
    validatePorts(settings.fromPort);
    validatePorts(settings.toPort);
    // Define regex patterns at the method level so they're available throughout
    const ipRegex = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/;
    const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/;
    // Validate IP addresses
    const validateIPs = (ips?: string[]) => {
      if (!ips) return;
      for (const ip of ips) {
        if (!ipRegex.test(ip) && !ipv6Regex.test(ip)) {
          throw new Error(`Invalid IP address format: ${ip}`);
        }
      }
    };
    validateIPs(settings.allowedSourceIPs);
    validateIPs(settings.bannedSourceIPs);
    // Validate toHost - only allow hostnames or IPs
    if (settings.toHost) {
      const hostRegex = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/;
      if (!hostRegex.test(settings.toHost) && !ipRegex.test(settings.toHost) && !ipv6Regex.test(settings.toHost)) {
        throw new Error(`Invalid host format: ${settings.toHost}`);
      }
    }
  }
  /**
   * Normalizes port specifications into an array of port ranges
   */
  private normalizePortSpec(portSpec: number | IPortRange | Array<number | IPortRange>): IPortRange[] {
    const result: IPortRange[] = [];
    if (Array.isArray(portSpec)) {
      // If it's an array, process each element
      for (const spec of portSpec) {
        result.push(...this.normalizePortSpec(spec));
      }
    } else if (typeof portSpec === 'number') {
      // Single port becomes a range with the same start and end
      result.push({ from: portSpec, to: portSpec });
    } else {
      // Already a range
      result.push(portSpec);
    }
    return result;
  }
  /**
   * Gets the appropriate iptables command based on settings
   */
  private getIptablesCommand(isIpv6: boolean = false): string {
    return isIpv6 ? 'ip6tables' : 'iptables';
  }
  /**
   * Checks if a rule already exists in iptables
   */
  private async ruleExists(table: string, command: string, isIpv6: boolean = false): Promise<boolean> {
    try {
      const iptablesCmd = this.getIptablesCommand(isIpv6);
      const { stdout } = await execAsync(`${iptablesCmd}-save -t ${table}`);
      // Convert the command to the format found in iptables-save output
      // (This is a simplification - in reality, you'd need more parsing)
      const rulePattern = command.replace(`${iptablesCmd} -t ${table} -A `, '-A ');
      return stdout.split('\n').some(line => line.trim() === rulePattern);
    } catch (err) {
      this.log('error', `Failed to check if rule exists: ${err}`);
      return false;
    }
  }
  /**
   * Sets up a custom chain for better rule management
   */
  private async setupCustomChain(isIpv6: boolean = false): Promise<boolean> {
    if (!this.customChain) return true;
    const iptablesCmd = this.getIptablesCommand(isIpv6);
    const table = 'nat';
    try {
      // Create the chain
      await execAsync(`${iptablesCmd} -t ${table} -N ${this.customChain}`);
      this.log('info', `Created custom chain: ${this.customChain}`);
      // Add jump rule to PREROUTING chain
      const jumpCommand = `${iptablesCmd} -t ${table} -A PREROUTING -j ${this.customChain} -m comment --comment "${this.ruleTag}:JUMP"`;
      await execAsync(jumpCommand);
      this.log('info', `Added jump rule to ${this.customChain}`);
      // Store the jump rule
      this.rules.push({
        table,
        chain: 'PREROUTING',
        command: jumpCommand,
        tag: `${this.ruleTag}:JUMP`,
        added: true
      });
      return true;
    } catch (err) {
      this.log('error', `Failed to set up custom chain: ${err}`);
      return false;
    }
  }
  /**
   * Add a source IP filter rule
   */
  private async addSourceIPFilter(isIpv6: boolean = false): Promise<boolean> {
    if (!this.settings.allowedSourceIPs && !this.settings.bannedSourceIPs) {
      return true;
    }
    const iptablesCmd = this.getIptablesCommand(isIpv6);
    const table = 'nat';
    const chain = this.customChain || 'PREROUTING';
    try {
      // Add banned IPs first (explicit deny)
      if (this.settings.bannedSourceIPs && this.settings.bannedSourceIPs.length > 0) {
        for (const ip of this.settings.bannedSourceIPs) {
          const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -j DROP -m comment --comment "${this.ruleTag}:BANNED"`;
          // Check if rule already exists
          if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
            this.log('info', `Rule already exists, skipping: ${command}`);
            continue;
          }
          await execAsync(command);
          this.log('info', `Added banned IP rule: ${command}`);
          this.rules.push({
            table,
            chain,
            command,
            tag: `${this.ruleTag}:BANNED`,
            added: true
          });
        }
      }
      // Add allowed IPs (explicit allow)
      if (this.settings.allowedSourceIPs && this.settings.allowedSourceIPs.length > 0) {
        // First add a default deny for all
        const denyAllCommand = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} -j DROP -m comment --comment "${this.ruleTag}:DENY_ALL"`;
        // Add allow rules for specific IPs
        for (const ip of this.settings.allowedSourceIPs) {
          const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -p ${this.settings.protocol} -j ACCEPT -m comment --comment "${this.ruleTag}:ALLOWED"`;
          // Check if rule already exists
          if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
            this.log('info', `Rule already exists, skipping: ${command}`);
            continue;
          }
          await execAsync(command);
          this.log('info', `Added allowed IP rule: ${command}`);
          this.rules.push({
            table,
            chain,
            command,
            tag: `${this.ruleTag}:ALLOWED`,
            added: true
          });
        }
        // Now add the default deny after all allows
        if (this.settings.checkExistingRules && await this.ruleExists(table, denyAllCommand, isIpv6)) {
          this.log('info', `Rule already exists, skipping: ${denyAllCommand}`);
        } else {
          await execAsync(denyAllCommand);
          this.log('info', `Added default deny rule: ${denyAllCommand}`);
          this.rules.push({
            table,
            chain,
            command: denyAllCommand,
            tag: `${this.ruleTag}:DENY_ALL`,
            added: true
          });
        }
      }
      return true;
    } catch (err) {
      this.log('error', `Failed to add source IP filter rules: ${err}`);
      return false;
    }
  }
  /**
   * Adds a port forwarding rule
   */
  private async addPortForwardingRule(
    fromPortRange: IPortRange,
    toPortRange: IPortRange,
    isIpv6: boolean = false
  ): Promise<boolean> {
    const iptablesCmd = this.getIptablesCommand(isIpv6);
    const table = 'nat';
    const chain = this.customChain || 'PREROUTING';
    try {
      // Handle single port case
      if (fromPortRange.from === fromPortRange.to && toPortRange.from === toPortRange.to) {
        // Single port forward
        const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from} ` +
          `-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from} ` +
          `-m comment --comment "${this.ruleTag}:DNAT"`;
        // Check if rule already exists
        if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
          this.log('info', `Rule already exists, skipping: ${command}`);
        } else {
          await execAsync(command);
          this.log('info', `Added port forwarding rule: ${command}`);
          this.rules.push({
            table,
            chain,
            command,
            tag: `${this.ruleTag}:DNAT`,
            added: true
          });
        }
      } else if (fromPortRange.to - fromPortRange.from === toPortRange.to - toPortRange.from) {
        // Port range forward with equal ranges
        const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from}:${fromPortRange.to} ` +
          `-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from}-${toPortRange.to} ` +
          `-m comment --comment "${this.ruleTag}:DNAT_RANGE"`;
        // Check if rule already exists
        if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
          this.log('info', `Rule already exists, skipping: ${command}`);
        } else {
          await execAsync(command);
          this.log('info', `Added port range forwarding rule: ${command}`);
          this.rules.push({
            table,
            chain,
            command,
            tag: `${this.ruleTag}:DNAT_RANGE`,
            added: true
          });
        }
      } else {
        // Unequal port ranges need individual rules
        for (let i = 0; i <= fromPortRange.to - fromPortRange.from; i++) {
          const fromPort = fromPortRange.from + i;
          const toPort = toPortRange.from + i % (toPortRange.to - toPortRange.from + 1);
          const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPort} ` +
            `-j DNAT --to-destination ${this.settings.toHost}:${toPort} ` +
            `-m comment --comment "${this.ruleTag}:DNAT_INDIVIDUAL"`;
          // Check if rule already exists
          if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
            this.log('info', `Rule already exists, skipping: ${command}`);
            continue;
          }
          await execAsync(command);
          this.log('info', `Added individual port forwarding rule: ${command}`);
          this.rules.push({
            table,
            chain,
            command,
            tag: `${this.ruleTag}:DNAT_INDIVIDUAL`,
            added: true
          });
        }
      }
      // If preserveSourceIP is false, add a MASQUERADE rule
      if (!this.settings.preserveSourceIP) {
        // For port range
        const masqCommand = `${iptablesCmd} -t nat -A POSTROUTING -p ${this.settings.protocol} -d ${this.settings.toHost} ` +
          `--dport ${toPortRange.from}:${toPortRange.to} -j MASQUERADE ` +
          `-m comment --comment "${this.ruleTag}:MASQ"`;
        // Check if rule already exists
        if (this.settings.checkExistingRules && await this.ruleExists('nat', masqCommand, isIpv6)) {
          this.log('info', `Rule already exists, skipping: ${masqCommand}`);
        } else {
          await execAsync(masqCommand);
          this.log('info', `Added MASQUERADE rule: ${masqCommand}`);
          this.rules.push({
            table: 'nat',
            chain: 'POSTROUTING',
            command: masqCommand,
            tag: `${this.ruleTag}:MASQ`,
            added: true
          });
        }
      }
      return true;
    } catch (err) {
      this.log('error', `Failed to add port forwarding rule: ${err}`);
      // Try to roll back any rules that were already added
      await this.rollbackRules();
      return false;
    }
  }
  /**
   * Special handling for NetworkProxy integration
   */
  private async setupNetworkProxyIntegration(isIpv6: boolean = false): Promise<boolean> {
    if (!this.settings.netProxyIntegration?.enabled) {
      return true;
    }
    const netProxyConfig = this.settings.netProxyIntegration;
    const iptablesCmd = this.getIptablesCommand(isIpv6);
    const table = 'nat';
    const chain = this.customChain || 'PREROUTING';
    try {
      // If redirectLocalhost is true, set up special rule to redirect localhost traffic to NetworkProxy
      if (netProxyConfig.redirectLocalhost && netProxyConfig.sslTerminationPort) {
        const redirectCommand = `${iptablesCmd} -t ${table} -A OUTPUT -p tcp -d 127.0.0.1 -j REDIRECT ` +
          `--to-port ${netProxyConfig.sslTerminationPort} ` +
          `-m comment --comment "${this.ruleTag}:NETPROXY_REDIRECT"`;
        // Check if rule already exists
        if (this.settings.checkExistingRules && await this.ruleExists(table, redirectCommand, isIpv6)) {
          this.log('info', `Rule already exists, skipping: ${redirectCommand}`);
        } else {
          await execAsync(redirectCommand);
          this.log('info', `Added NetworkProxy redirection rule: ${redirectCommand}`);
          this.rules.push({
            table,
            chain: 'OUTPUT',
            command: redirectCommand,
            tag: `${this.ruleTag}:NETPROXY_REDIRECT`,
            added: true
          });
        }
      }
      return true;
    } catch (err) {
      this.log('error', `Failed to set up NetworkProxy integration: ${err}`);
      return false;
    }
  }
  /**
   * Rolls back rules that were added in case of error
   */
  private async rollbackRules(): Promise<void> {
    // Process rules in reverse order (LIFO)
    for (let i = this.rules.length - 1; i >= 0; i--) {
      const rule = this.rules[i];
      if (rule.added) {
        try {
          // Convert -A (add) to -D (delete)
          const deleteCommand = rule.command.replace('-A', '-D');
          await execAsync(deleteCommand);
          this.log('info', `Rolled back rule: ${deleteCommand}`);
          rule.added = false;
        } catch (err) {
          this.log('error', `Failed to roll back rule: ${err}`);
        }
      }
    }
  }
  /**
   * Sets up iptables rules for port forwarding with enhanced features
   */
  public async start(): Promise<void> {
    // Optionally clean the slate first
    if (this.settings.forceCleanSlate) {
      await IPTablesProxy.cleanSlate();
    }
    // First set up any custom chains
    if (this.settings.addJumpRule) {
      const chainSetupSuccess = await this.setupCustomChain();
      if (!chainSetupSuccess) {
        throw new Error('Failed to set up custom chain');
      }
      // For IPv6 if enabled
      if (this.settings.ipv6Support) {
        const chainSetupSuccessIpv6 = await this.setupCustomChain(true);
        if (!chainSetupSuccessIpv6) {
          this.log('warn', 'Failed to set up IPv6 custom chain, continuing with IPv4 only');
        }
      }
    }
    // Add source IP filters
    await this.addSourceIPFilter();
    if (this.settings.ipv6Support) {
      await this.addSourceIPFilter(true);
    }
    // Set up NetworkProxy integration if enabled
    if (this.settings.netProxyIntegration?.enabled) {
      const netProxySetupSuccess = await this.setupNetworkProxyIntegration();
      if (!netProxySetupSuccess) {
        this.log('warn', 'Failed to set up NetworkProxy integration');
      }
      if (this.settings.ipv6Support) {
        await this.setupNetworkProxyIntegration(true);
      }
    }
    // Normalize port specifications
    const fromPortRanges = this.normalizePortSpec(this.settings.fromPort);
    const toPortRanges = this.normalizePortSpec(this.settings.toPort);
    // Handle the case where fromPort and toPort counts don't match
    if (fromPortRanges.length !== toPortRanges.length) {
      if (toPortRanges.length === 1) {
        // If there's only one toPort, use it for all fromPorts
        for (const fromRange of fromPortRanges) {
          await this.addPortForwardingRule(fromRange, toPortRanges[0]);
          if (this.settings.ipv6Support) {
            await this.addPortForwardingRule(fromRange, toPortRanges[0], true);
          }
        }
      } else {
        throw new Error('Mismatched port counts: fromPort and toPort arrays must have equal length or toPort must be a single value');
      }
    } else {
      // Add port forwarding rules for each port specification
      for (let i = 0; i < fromPortRanges.length; i++) {
        await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i]);
        if (this.settings.ipv6Support) {
          await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i], true);
        }
      }
    }
    // Final check - ensure we have at least one rule added
    if (this.rules.filter(r => r.added).length === 0) {
      throw new Error('No rules were added');
    }
  }
  /**
   * Removes all added iptables rules
   */
  public async stop(): Promise<void> {
    // Process rules in reverse order (LIFO)
    for (let i = this.rules.length - 1; i >= 0; i--) {
      const rule = this.rules[i];
      if (rule.added) {
        try {
          // Convert -A (add) to -D (delete)
          const deleteCommand = rule.command.replace('-A', '-D');
          await execAsync(deleteCommand);
          this.log('info', `Removed rule: ${deleteCommand}`);
          rule.added = false;
        } catch (err) {
          this.log('error', `Failed to remove rule: ${err}`);
        }
      }
    }
    // If we created a custom chain, we need to clean it up
    if (this.customChain) {
      try {
        // First flush the chain
        await execAsync(`iptables -t nat -F ${this.customChain}`);
        this.log('info', `Flushed custom chain: ${this.customChain}`);
        // Then delete it
        await execAsync(`iptables -t nat -X ${this.customChain}`);
        this.log('info', `Deleted custom chain: ${this.customChain}`);
        // Same for IPv6 if enabled
        if (this.settings.ipv6Support) {
          try {
            await execAsync(`ip6tables -t nat -F ${this.customChain}`);
            await execAsync(`ip6tables -t nat -X ${this.customChain}`);
            this.log('info', `Deleted IPv6 custom chain: ${this.customChain}`);
          } catch (err) {
            this.log('error', `Failed to delete IPv6 custom chain: ${err}`);
          }
        }
      } catch (err) {
        this.log('error', `Failed to delete custom chain: ${err}`);
      }
    }
    // Clear rules array
    this.rules = [];
  }
  /**
   * Synchronous version of stop, for use in exit handlers
   */
  public stopSync(): void {
    // Process rules in reverse order (LIFO)
    for (let i = this.rules.length - 1; i >= 0; i--) {
      const rule = this.rules[i];
      if (rule.added) {
        try {
          // Convert -A (add) to -D (delete)
          const deleteCommand = rule.command.replace('-A', '-D');
          execSync(deleteCommand);
          this.log('info', `Removed rule: ${deleteCommand}`);
          rule.added = false;
        } catch (err) {
          this.log('error', `Failed to remove rule: ${err}`);
        }
      }
    }
    // If we created a custom chain, we need to clean it up
    if (this.customChain) {
      try {
        // First flush the chain
        execSync(`iptables -t nat -F ${this.customChain}`);
        // Then delete it
        execSync(`iptables -t nat -X ${this.customChain}`);
        this.log('info', `Deleted custom chain: ${this.customChain}`);
        // Same for IPv6 if enabled
        if (this.settings.ipv6Support) {
          try {
            execSync(`ip6tables -t nat -F ${this.customChain}`);
            execSync(`ip6tables -t nat -X ${this.customChain}`);
          } catch (err) {
            // IPv6 failures are non-critical
          }
        }
      } catch (err) {
        this.log('error', `Failed to delete custom chain: ${err}`);
      }
    }
    // Clear rules array
    this.rules = [];
  }
  /**
   * Asynchronously cleans up any iptables rules in the nat table that were added by this module.
   * It looks for rules with comments containing "IPTablesProxy:".
   */
  public static async cleanSlate(): Promise<void> {
    await IPTablesProxy.cleanSlateInternal();
    // Also clean IPv6 rules
    await IPTablesProxy.cleanSlateInternal(true);
  }
  /**
   * Internal implementation of cleanSlate with IPv6 support
   */
  private static async cleanSlateInternal(isIpv6: boolean = false): Promise<void> {
    const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
    try {
      const { stdout } = await execAsync(`${iptablesCmd}-save -t nat`);
      const lines = stdout.split('\n');
      const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
      // First, find and remove any custom chains
      const customChains = new Set<string>();
      const jumpRules: string[] = [];
      for (const line of proxyLines) {
        if (line.includes('IPTablesProxy:JUMP')) {
          // Extract chain name from jump rule
          const match = line.match(/\s+-j\s+(\S+)\s+/);
          if (match && match[1].startsWith('IPTablesProxy_')) {
            customChains.add(match[1]);
            jumpRules.push(line);
          }
        }
      }
      // Remove jump rules first
      for (const line of jumpRules) {
        const trimmedLine = line.trim();
        if (trimmedLine.startsWith('-A')) {
          // Replace the "-A" with "-D" to form a deletion command
          const deleteRule = trimmedLine.replace('-A', '-D');
          const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
          try {
            await execAsync(cmd);
            console.log(`Cleaned up iptables jump rule: ${cmd}`);
          } catch (err) {
            console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
          }
        }
      }
      // Then remove all other rules
      for (const line of proxyLines) {
        if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
          const trimmedLine = line.trim();
          if (trimmedLine.startsWith('-A')) {
            // Replace the "-A" with "-D" to form a deletion command
            const deleteRule = trimmedLine.replace('-A', '-D');
            const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
            try {
              await execAsync(cmd);
              console.log(`Cleaned up iptables rule: ${cmd}`);
            } catch (err) {
              console.error(`Failed to remove iptables rule: ${cmd}`, err);
            }
          }
        }
      }
      // Finally clean up custom chains
      for (const chain of customChains) {
        try {
          // Flush the chain
          await execAsync(`${iptablesCmd} -t nat -F ${chain}`);
          console.log(`Flushed custom chain: ${chain}`);
          // Delete the chain
          await execAsync(`${iptablesCmd} -t nat -X ${chain}`);
          console.log(`Deleted custom chain: ${chain}`);
        } catch (err) {
          console.error(`Failed to delete custom chain ${chain}:`, err);
        }
      }
    } catch (err) {
      console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
    }
  }
  /**
   * Synchronously cleans up any iptables rules in the nat table that were added by this module.
   * It looks for rules with comments containing "IPTablesProxy:".
   * This method is intended for use in process exit handlers.
   */
  public static cleanSlateSync(): void {
    IPTablesProxy.cleanSlateSyncInternal();
    // Also clean IPv6 rules
    IPTablesProxy.cleanSlateSyncInternal(true);
  }
  /**
   * Internal implementation of cleanSlateSync with IPv6 support
   */
  private static cleanSlateSyncInternal(isIpv6: boolean = false): void {
    const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
    try {
      const stdout = execSync(`${iptablesCmd}-save -t nat`).toString();
      const lines = stdout.split('\n');
      const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
      // First, find and remove any custom chains
      const customChains = new Set<string>();
      const jumpRules: string[] = [];
      for (const line of proxyLines) {
        if (line.includes('IPTablesProxy:JUMP')) {
          // Extract chain name from jump rule
          const match = line.match(/\s+-j\s+(\S+)\s+/);
          if (match && match[1].startsWith('IPTablesProxy_')) {
            customChains.add(match[1]);
            jumpRules.push(line);
          }
        }
      }
      // Remove jump rules first
      for (const line of jumpRules) {
        const trimmedLine = line.trim();
        if (trimmedLine.startsWith('-A')) {
          // Replace the "-A" with "-D" to form a deletion command
          const deleteRule = trimmedLine.replace('-A', '-D');
          const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
          try {
            execSync(cmd);
            console.log(`Cleaned up iptables jump rule: ${cmd}`);
          } catch (err) {
            console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
          }
        }
      }
      // Then remove all other rules
      for (const line of proxyLines) {
        if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
          const trimmedLine = line.trim();
          if (trimmedLine.startsWith('-A')) {
            const deleteRule = trimmedLine.replace('-A', '-D');
            const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
            try {
              execSync(cmd);
              console.log(`Cleaned up iptables rule: ${cmd}`);
            } catch (err) {
              console.error(`Failed to remove iptables rule: ${cmd}`, err);
            }
          }
        }
      }
      // Finally clean up custom chains
      for (const chain of customChains) {
        try {
          // Flush the chain
          execSync(`${iptablesCmd} -t nat -F ${chain}`);
          // Delete the chain
          execSync(`${iptablesCmd} -t nat -X ${chain}`);
          console.log(`Deleted custom chain: ${chain}`);
        } catch (err) {
          console.error(`Failed to delete custom chain ${chain}:`, err);
        }
      }
    } catch (err) {
      console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
    }
  }
  /**
   * Logging utility that respects the enableLogging setting
   */
  private log(level: 'info' | 'warn' | 'error', message: string): void {
    if (!this.settings.enableLogging && level === 'info') {
      return;
    }
    const timestamp = new Date().toISOString();
    switch (level) {
      case 'info':
        console.log(`[${timestamp}] [INFO] ${message}`);
        break;
      case 'warn':
        console.warn(`[${timestamp}] [WARN] ${message}`);
        break;
      case 'error':
        console.error(`[${timestamp}] [ERROR] ${message}`);
        break;
    }
  }
 }
--- a/ts/classes.networkproxy.ts
+++ b/ts/classes.networkproxy.ts
--- a/ts/classes.port80handler.ts
+++ b/ts/classes.port80handler.ts
@ -0,0 +1,559 @@
 import * as plugins from './plugins.js';
 /**
 * Represents a domain certificate with various status information
 */
 interface IDomainCertificate {
  certObtained: boolean;
  obtainingInProgress: boolean;
  certificate?: string;
  privateKey?: string;
  challengeToken?: string;
  challengeKeyAuthorization?: string;
  expiryDate?: Date;
  lastRenewalAttempt?: Date;
 }
 /**
 * Configuration options for the ACME Certificate Manager
 */
 interface IAcmeCertManagerOptions {
  port?: number;
  contactEmail?: string;
  useProduction?: boolean;
  renewThresholdDays?: number;
  httpsRedirectPort?: number;
  renewCheckIntervalHours?: number;
 }
 /**
 * Certificate data that can be emitted via events or set from outside
 */
 interface ICertificateData {
  domain: string;
  certificate: string;
  privateKey: string;
  expiryDate: Date;
 }
 /**
 * Events emitted by the ACME Certificate Manager
 */
 export enum CertManagerEvents {
  CERTIFICATE_ISSUED = 'certificate-issued',
  CERTIFICATE_RENEWED = 'certificate-renewed',
  CERTIFICATE_FAILED = 'certificate-failed',
  CERTIFICATE_EXPIRING = 'certificate-expiring',
  MANAGER_STARTED = 'manager-started',
  MANAGER_STOPPED = 'manager-stopped',
 }
 /**
 * Improved ACME Certificate Manager with event emission and external certificate management
 */
 export class AcmeCertManager extends plugins.EventEmitter {
  private domainCertificates: Map<string, IDomainCertificate>;
  private server: plugins.http.Server | null = null;
  private acmeClient: plugins.acme.Client | null = null;
  private accountKey: string | null = null;
  private renewalTimer: NodeJS.Timeout | null = null;
  private isShuttingDown: boolean = false;
  private options: Required<IAcmeCertManagerOptions>;
  /**
   * Creates a new ACME Certificate Manager
   * @param options Configuration options
   */
  constructor(options: IAcmeCertManagerOptions = {}) {
    super();
    this.domainCertificates = new Map<string, IDomainCertificate>();
    // Default options
    this.options = {
      port: options.port ?? 80,
      contactEmail: options.contactEmail ?? 'admin@example.com',
      useProduction: options.useProduction ?? false, // Safer default: staging
      renewThresholdDays: options.renewThresholdDays ?? 30,
      httpsRedirectPort: options.httpsRedirectPort ?? 443,
      renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
    };
  }
  /**
   * Starts the HTTP server for ACME challenges
   */
  public async start(): Promise<void> {
    if (this.server) {
      throw new Error('Server is already running');
    }
    if (this.isShuttingDown) {
      throw new Error('Server is shutting down');
    }
    return new Promise((resolve, reject) => {
      try {
        this.server = plugins.http.createServer((req, res) => this.handleRequest(req, res));
        this.server.on('error', (error: NodeJS.ErrnoException) => {
          if (error.code === 'EACCES') {
            reject(new Error(`Permission denied to bind to port ${this.options.port}. Try running with elevated privileges or use a port > 1024.`));
          } else if (error.code === 'EADDRINUSE') {
            reject(new Error(`Port ${this.options.port} is already in use.`));
          } else {
            reject(error);
          }
        });
        this.server.listen(this.options.port, () => {
          console.log(`AcmeCertManager is listening on port ${this.options.port}`);
          this.startRenewalTimer();
          this.emit(CertManagerEvents.MANAGER_STARTED, this.options.port);
          resolve();
        });
      } catch (error) {
        reject(error);
      }
    });
  }
  /**
   * Stops the HTTP server and renewal timer
   */
  public async stop(): Promise<void> {
    if (!this.server) {
      return;
    }
    this.isShuttingDown = true;
    // Stop the renewal timer
    if (this.renewalTimer) {
      clearInterval(this.renewalTimer);
      this.renewalTimer = null;
    }
    return new Promise<void>((resolve) => {
      if (this.server) {
        this.server.close(() => {
          this.server = null;
          this.isShuttingDown = false;
          this.emit(CertManagerEvents.MANAGER_STOPPED);
          resolve();
        });
      } else {
        this.isShuttingDown = false;
        resolve();
      }
    });
  }
  /**
   * Adds a domain to be managed for certificates
   * @param domain The domain to add
   */
  public addDomain(domain: string): void {
    if (!this.domainCertificates.has(domain)) {
      this.domainCertificates.set(domain, { certObtained: false, obtainingInProgress: false });
      console.log(`Domain added: ${domain}`);
    }
  }
  /**
   * Removes a domain from management
   * @param domain The domain to remove
   */
  public removeDomain(domain: string): void {
    if (this.domainCertificates.delete(domain)) {
      console.log(`Domain removed: ${domain}`);
    }
  }
  /**
   * Sets a certificate for a domain directly (for externally obtained certificates)
   * @param domain The domain for the certificate
   * @param certificate The certificate (PEM format)
   * @param privateKey The private key (PEM format)
   * @param expiryDate Optional expiry date
   */
  public setCertificate(domain: string, certificate: string, privateKey: string, expiryDate?: Date): void {
    let domainInfo = this.domainCertificates.get(domain);
    if (!domainInfo) {
      domainInfo = { certObtained: false, obtainingInProgress: false };
      this.domainCertificates.set(domain, domainInfo);
    }
    domainInfo.certificate = certificate;
    domainInfo.privateKey = privateKey;
    domainInfo.certObtained = true;
    domainInfo.obtainingInProgress = false;
    if (expiryDate) {
      domainInfo.expiryDate = expiryDate;
    } else {
      // Try to extract expiry date from certificate
      try {
        // This is a simplistic approach - in a real implementation, use a proper
        // certificate parsing library like node-forge or x509
        const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
        if (matches && matches[1]) {
          domainInfo.expiryDate = new Date(matches[1]);
        }
      } catch (error) {
        console.warn(`Failed to extract expiry date from certificate for ${domain}`);
      }
    }
    console.log(`Certificate set for ${domain}`);
    // Emit certificate event
    this.emitCertificateEvent(CertManagerEvents.CERTIFICATE_ISSUED, {
      domain,
      certificate,
      privateKey,
      expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default
    });
  }
  /**
   * Gets the certificate for a domain if it exists
   * @param domain The domain to get the certificate for
   */
  public getCertificate(domain: string): ICertificateData | null {
    const domainInfo = this.domainCertificates.get(domain);
    if (!domainInfo || !domainInfo.certObtained || !domainInfo.certificate || !domainInfo.privateKey) {
      return null;
    }
    return {
      domain,
      certificate: domainInfo.certificate,
      privateKey: domainInfo.privateKey,
      expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default
    };
  }
  /**
   * Lazy initialization of the ACME client
   * @returns An ACME client instance
   */
  private async getAcmeClient(): Promise<plugins.acme.Client> {
    if (this.acmeClient) {
      return this.acmeClient;
    }
    // Generate a new account key
    this.accountKey = (await plugins.acme.forge.createPrivateKey()).toString();
    this.acmeClient = new plugins.acme.Client({
      directoryUrl: this.options.useProduction 
        ? plugins.acme.directory.letsencrypt.production 
        : plugins.acme.directory.letsencrypt.staging,
      accountKey: this.accountKey,
    });
    // Create a new account
    await this.acmeClient.createAccount({
      termsOfServiceAgreed: true,
      contact: [`mailto:${this.options.contactEmail}`],
    });
    return this.acmeClient;
  }
  /**
   * Handles incoming HTTP requests
   * @param req The HTTP request
   * @param res The HTTP response
   */
  private handleRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
    const hostHeader = req.headers.host;
    if (!hostHeader) {
      res.statusCode = 400;
      res.end('Bad Request: Host header is missing');
      return;
    }
    // Extract domain (ignoring any port in the Host header)
    const domain = hostHeader.split(':')[0];
    // If the request is for an ACME HTTP-01 challenge, handle it
    if (req.url && req.url.startsWith('/.well-known/acme-challenge/')) {
      this.handleAcmeChallenge(req, res, domain);
      return;
    }
    if (!this.domainCertificates.has(domain)) {
      res.statusCode = 404;
      res.end('Domain not configured');
      return;
    }
    const domainInfo = this.domainCertificates.get(domain)!;
    // If certificate exists, redirect to HTTPS
    if (domainInfo.certObtained) {
      const httpsPort = this.options.httpsRedirectPort;
      const portSuffix = httpsPort === 443 ? '' : `:${httpsPort}`;
      const redirectUrl = `https://${domain}${portSuffix}${req.url || '/'}`;
      res.statusCode = 301;
      res.setHeader('Location', redirectUrl);
      res.end(`Redirecting to ${redirectUrl}`);
    } else {
      // Trigger certificate issuance if not already running
      if (!domainInfo.obtainingInProgress) {
        this.obtainCertificate(domain).catch(err => {
          this.emit(CertManagerEvents.CERTIFICATE_FAILED, { domain, error: err.message });
          console.error(`Error obtaining certificate for ${domain}:`, err);
        });
      }
      res.statusCode = 503;
      res.end('Certificate issuance in progress, please try again later.');
    }
  }
  /**
   * Serves the ACME HTTP-01 challenge response
   * @param req The HTTP request
   * @param res The HTTP response
   * @param domain The domain for the challenge
   */
  private handleAcmeChallenge(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse, domain: string): void {
    const domainInfo = this.domainCertificates.get(domain);
    if (!domainInfo) {
      res.statusCode = 404;
      res.end('Domain not configured');
      return;
    }
    // The token is the last part of the URL
    const urlParts = req.url?.split('/');
    const token = urlParts ? urlParts[urlParts.length - 1] : '';
    if (domainInfo.challengeToken === token && domainInfo.challengeKeyAuthorization) {
      res.statusCode = 200;
      res.setHeader('Content-Type', 'text/plain');
      res.end(domainInfo.challengeKeyAuthorization);
      console.log(`Served ACME challenge response for ${domain}`);
    } else {
      res.statusCode = 404;
      res.end('Challenge token not found');
    }
  }
  /**
   * Obtains a certificate for a domain using ACME HTTP-01 challenge
   * @param domain The domain to obtain a certificate for
   * @param isRenewal Whether this is a renewal attempt
   */
  private async obtainCertificate(domain: string, isRenewal: boolean = false): Promise<void> {
    // Get the domain info
    const domainInfo = this.domainCertificates.get(domain);
    if (!domainInfo) {
      throw new Error(`Domain not found: ${domain}`);
    }
    // Prevent concurrent certificate issuance
    if (domainInfo.obtainingInProgress) {
      console.log(`Certificate issuance already in progress for ${domain}`);
      return;
    }
    domainInfo.obtainingInProgress = true;
    domainInfo.lastRenewalAttempt = new Date();
    try {
      const client = await this.getAcmeClient();
      // Create a new order for the domain
      const order = await client.createOrder({
        identifiers: [{ type: 'dns', value: domain }],
      });
      // Get the authorizations for the order
      const authorizations = await client.getAuthorizations(order);
      for (const authz of authorizations) {
        const challenge = authz.challenges.find(ch => ch.type === 'http-01');
        if (!challenge) {
          throw new Error('HTTP-01 challenge not found');
        }
        // Get the key authorization for the challenge
        const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
        // Store the challenge data
        domainInfo.challengeToken = challenge.token;
        domainInfo.challengeKeyAuthorization = keyAuthorization;
        // ACME client type definition workaround - use compatible approach
        // First check if challenge verification is needed
        const authzUrl = authz.url;
        try {
          // Check if authzUrl exists and perform verification
          if (authzUrl) {
            await client.verifyChallenge(authz, challenge);
          }
          // Complete the challenge
          await client.completeChallenge(challenge);
          // Wait for validation
          await client.waitForValidStatus(challenge);
          console.log(`HTTP-01 challenge completed for ${domain}`);
        } catch (error) {
          console.error(`Challenge error for ${domain}:`, error);
          throw error;
        }
      }
      // Generate a CSR and private key
      const [csrBuffer, privateKeyBuffer] = await plugins.acme.forge.createCsr({
        commonName: domain,
      });
      const csr = csrBuffer.toString();
      const privateKey = privateKeyBuffer.toString();
      // Finalize the order with our CSR
      await client.finalizeOrder(order, csr);
      // Get the certificate with the full chain
      const certificate = await client.getCertificate(order);
      // Store the certificate and key
      domainInfo.certificate = certificate;
      domainInfo.privateKey = privateKey;
      domainInfo.certObtained = true;
      // Clear challenge data
      delete domainInfo.challengeToken;
      delete domainInfo.challengeKeyAuthorization;
      // Extract expiry date from certificate
      try {
        const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
        if (matches && matches[1]) {
          domainInfo.expiryDate = new Date(matches[1]);
          console.log(`Certificate for ${domain} will expire on ${domainInfo.expiryDate.toISOString()}`);
        }
      } catch (error) {
        console.warn(`Failed to extract expiry date from certificate for ${domain}`);
      }
      console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`);
      // Emit the appropriate event
      const eventType = isRenewal 
        ? CertManagerEvents.CERTIFICATE_RENEWED 
        : CertManagerEvents.CERTIFICATE_ISSUED;
      this.emitCertificateEvent(eventType, {
        domain,
        certificate,
        privateKey,
        expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default
      });
    } catch (error: any) {
      // Check for rate limit errors
      if (error.message && (
        error.message.includes('rateLimited') || 
        error.message.includes('too many certificates') || 
        error.message.includes('rate limit')
      )) {
        console.error(`Rate limit reached for ${domain}. Waiting before retry.`);
      } else {
        console.error(`Error during certificate issuance for ${domain}:`, error);
      }
      // Emit failure event
      this.emit(CertManagerEvents.CERTIFICATE_FAILED, {
        domain,
        error: error.message || 'Unknown error',
        isRenewal
      });
    } finally {
      // Reset flag whether successful or not
      domainInfo.obtainingInProgress = false;
    }
  }
  /**
   * Starts the certificate renewal timer
   */
  private startRenewalTimer(): void {
    if (this.renewalTimer) {
      clearInterval(this.renewalTimer);
    }
    // Convert hours to milliseconds
    const checkInterval = this.options.renewCheckIntervalHours * 60 * 60 * 1000;
    this.renewalTimer = setInterval(() => this.checkForRenewals(), checkInterval);
    // Prevent the timer from keeping the process alive
    if (this.renewalTimer.unref) {
      this.renewalTimer.unref();
    }
    console.log(`Certificate renewal check scheduled every ${this.options.renewCheckIntervalHours} hours`);
  }
  /**
   * Checks for certificates that need renewal
   */
  private checkForRenewals(): void {
    if (this.isShuttingDown) {
      return;
    }
    console.log('Checking for certificates that need renewal...');
    const now = new Date();
    const renewThresholdMs = this.options.renewThresholdDays * 24 * 60 * 60 * 1000;
    for (const [domain, domainInfo] of this.domainCertificates.entries()) {
      // Skip domains without certificates or already in renewal
      if (!domainInfo.certObtained || domainInfo.obtainingInProgress) {
        continue;
      }
      // Skip domains without expiry dates
      if (!domainInfo.expiryDate) {
        continue;
      }
      const timeUntilExpiry = domainInfo.expiryDate.getTime() - now.getTime();
      // Check if certificate is near expiry
      if (timeUntilExpiry <= renewThresholdMs) {
        console.log(`Certificate for ${domain} expires soon, renewing...`);
        this.emit(CertManagerEvents.CERTIFICATE_EXPIRING, {
          domain,
          expiryDate: domainInfo.expiryDate,
          daysRemaining: Math.ceil(timeUntilExpiry / (24 * 60 * 60 * 1000))
        });
        // Start renewal process
        this.obtainCertificate(domain, true).catch(err => {
          console.error(`Error renewing certificate for ${domain}:`, err);
        });
      }
    }
  }
  /**
   * Emits a certificate event with the certificate data
   * @param eventType The event type to emit
   * @param data The certificate data
   */
  private emitCertificateEvent(eventType: CertManagerEvents, data: ICertificateData): void {
    this.emit(eventType, data);
  }
 }
--- a/ts/classes.portproxy.ts
+++ b/ts/classes.portproxy.ts
--- a/ts/classes.router.ts
+++ b/ts/classes.router.ts
@ -0,0 +1,351 @@
 import * as http from 'http';
 import * as url from 'url';
 import * as tsclass from '@tsclass/tsclass';
 /**
 * Optional path pattern configuration that can be added to proxy configs
 */
 export interface IPathPatternConfig {
  pathPattern?: string;
 }
 /**
 * Interface for router result with additional metadata
 */
 export interface IRouterResult {
  config: tsclass.network.IReverseProxyConfig;
  pathMatch?: string;
  pathParams?: Record<string, string>;
  pathRemainder?: string;
 }
 export class ProxyRouter {
  // Store original configs for reference
  private reverseProxyConfigs: tsclass.network.IReverseProxyConfig[] = [];
  // Default config to use when no match is found (optional)
  private defaultConfig?: tsclass.network.IReverseProxyConfig;
  // Store path patterns separately since they're not in the original interface
  private pathPatterns: Map<tsclass.network.IReverseProxyConfig, string> = new Map();
  // Logger interface
  private logger: { 
    error: (message: string, data?: any) => void;
    warn: (message: string, data?: any) => void;
    info: (message: string, data?: any) => void;
    debug: (message: string, data?: any) => void;
  };
  constructor(
    configs?: tsclass.network.IReverseProxyConfig[],
    logger?: { 
      error: (message: string, data?: any) => void;
      warn: (message: string, data?: any) => void;
      info: (message: string, data?: any) => void;
      debug: (message: string, data?: any) => void;
    }
  ) {
    this.logger = logger || console;
    if (configs) {
      this.setNewProxyConfigs(configs);
    }
  }
  /**
   * Sets a new set of reverse configs to be routed to
   * @param reverseCandidatesArg Array of reverse proxy configurations
   */
  public setNewProxyConfigs(reverseCandidatesArg: tsclass.network.IReverseProxyConfig[]): void {
    this.reverseProxyConfigs = [...reverseCandidatesArg];
    // Find default config if any (config with "*" as hostname)
    this.defaultConfig = this.reverseProxyConfigs.find(config => config.hostName === '*');
    this.logger.info(`Router initialized with ${this.reverseProxyConfigs.length} configs (${this.getHostnames().length} unique hosts)`);
  }
  /**
   * Routes a request based on hostname and path
   * @param req The incoming HTTP request
   * @returns The matching proxy config or undefined if no match found
   */
  public routeReq(req: http.IncomingMessage): tsclass.network.IReverseProxyConfig {
    const result = this.routeReqWithDetails(req);
    return result ? result.config : undefined;
  }
  /**
   * Routes a request with detailed matching information
   * @param req The incoming HTTP request
   * @returns Detailed routing result including matched config and path information
   */
  public routeReqWithDetails(req: http.IncomingMessage): IRouterResult | undefined {
    // Extract and validate host header
    const originalHost = req.headers.host;
    if (!originalHost) {
      this.logger.error('No host header found in request');
      return this.defaultConfig ? { config: this.defaultConfig } : undefined;
    }
    // Parse URL for path matching
    const parsedUrl = url.parse(req.url || '/');
    const urlPath = parsedUrl.pathname || '/';
    // Extract hostname without port
    const hostWithoutPort = originalHost.split(':')[0].toLowerCase();
    // First try exact hostname match
    const exactConfig = this.findConfigForHost(hostWithoutPort, urlPath);
    if (exactConfig) {
      return exactConfig;
    }
    // Try wildcard subdomain
    if (hostWithoutPort.includes('.')) {
      const domainParts = hostWithoutPort.split('.');
      if (domainParts.length > 2) {
        const wildcardDomain = `*.${domainParts.slice(1).join('.')}`;
        const wildcardConfig = this.findConfigForHost(wildcardDomain, urlPath);
        if (wildcardConfig) {
          return wildcardConfig;
        }
      }
    }
    // Fall back to default config if available
    if (this.defaultConfig) {
      this.logger.warn(`No specific config found for host: ${hostWithoutPort}, using default`);
      return { config: this.defaultConfig };
    }
    this.logger.error(`No config found for host: ${hostWithoutPort}`);
    return undefined;
  }
  /**
   * Find a config for a specific host and path
   */
  private findConfigForHost(hostname: string, path: string): IRouterResult | undefined {
    // Find all configs for this hostname
    const configs = this.reverseProxyConfigs.filter(
      config => config.hostName.toLowerCase() === hostname.toLowerCase()
    );
    if (configs.length === 0) {
      return undefined;
    }
    // First try configs with path patterns
    const configsWithPaths = configs.filter(config => this.pathPatterns.has(config));
    // Sort by path pattern specificity - more specific first
    configsWithPaths.sort((a, b) => {
      const aPattern = this.pathPatterns.get(a) || '';
      const bPattern = this.pathPatterns.get(b) || '';
      // Exact patterns come before wildcard patterns
      const aHasWildcard = aPattern.includes('*');
      const bHasWildcard = bPattern.includes('*');
      if (aHasWildcard && !bHasWildcard) return 1;
      if (!aHasWildcard && bHasWildcard) return -1;
      // Longer patterns are considered more specific
      return bPattern.length - aPattern.length;
    });
    // Check each config with path pattern
    for (const config of configsWithPaths) {
      const pathPattern = this.pathPatterns.get(config);
      if (pathPattern) {
        const pathMatch = this.matchPath(path, pathPattern);
        if (pathMatch) {
          return {
            config,
            pathMatch: pathMatch.matched,
            pathParams: pathMatch.params,
            pathRemainder: pathMatch.remainder
          };
        }
      }
    }
    // If no path pattern matched, use the first config without a path pattern
    const configWithoutPath = configs.find(config => !this.pathPatterns.has(config));
    if (configWithoutPath) {
      return { config: configWithoutPath };
    }
    return undefined;
  }
  /**
   * Matches a URL path against a pattern
   * Supports:
   * - Exact matches: /users/profile
   * - Wildcards: /api/* (matches any path starting with /api/)
   * - Path parameters: /users/:id (captures id as a parameter)
   * 
   * @param path The URL path to match
   * @param pattern The pattern to match against
   * @returns Match result with params and remainder, or null if no match
   */
  private matchPath(path: string, pattern: string): { 
    matched: string; 
    params: Record<string, string>; 
    remainder: string;
  } | null {
    // Handle exact match
    if (path === pattern) {
      return {
        matched: pattern,
        params: {},
        remainder: ''
      };
    }
    // Handle wildcard match
    if (pattern.endsWith('/*')) {
      const prefix = pattern.slice(0, -2);
      if (path === prefix || path.startsWith(`${prefix}/`)) {
        return {
          matched: prefix,
          params: {},
          remainder: path.slice(prefix.length)
        };
      }
      return null;
    }
    // Handle path parameters
    const patternParts = pattern.split('/').filter(p => p);
    const pathParts = path.split('/').filter(p => p);
    // Too few path parts to match
    if (pathParts.length < patternParts.length) {
      return null;
    }
    const params: Record<string, string> = {};
    // Compare each part
    for (let i = 0; i < patternParts.length; i++) {
      const patternPart = patternParts[i];
      const pathPart = pathParts[i];
      // Handle parameter
      if (patternPart.startsWith(':')) {
        const paramName = patternPart.slice(1);
        params[paramName] = pathPart;
        continue;
      }
      // Handle wildcard at the end
      if (patternPart === '*' && i === patternParts.length - 1) {
        break;
      }
      // Handle exact match for this part
      if (patternPart !== pathPart) {
        return null;
      }
    }
    // Calculate the remainder - the unmatched path parts
    const remainderParts = pathParts.slice(patternParts.length);
    const remainder = remainderParts.length ? '/' + remainderParts.join('/') : '';
    // Calculate the matched path
    const matchedParts = patternParts.map((part, i) => {
      return part.startsWith(':') ? pathParts[i] : part;
    });
    const matched = '/' + matchedParts.join('/');
    return {
      matched,
      params,
      remainder
    };
  }
  /**
   * Gets all currently active proxy configurations
   * @returns Array of all active configurations
   */
  public getProxyConfigs(): tsclass.network.IReverseProxyConfig[] {
    return [...this.reverseProxyConfigs];
  }
  /**
   * Gets all hostnames that this router is configured to handle
   * @returns Array of hostnames
   */
  public getHostnames(): string[] {
    const hostnames = new Set<string>();
    for (const config of this.reverseProxyConfigs) {
      if (config.hostName !== '*') {
        hostnames.add(config.hostName.toLowerCase());
      }
    }
    return Array.from(hostnames);
  }
  /**
   * Adds a single new proxy configuration
   * @param config The configuration to add
   * @param pathPattern Optional path pattern for route matching
   */
  public addProxyConfig(
    config: tsclass.network.IReverseProxyConfig, 
    pathPattern?: string
  ): void {
    this.reverseProxyConfigs.push(config);
    // Store path pattern if provided
    if (pathPattern) {
      this.pathPatterns.set(config, pathPattern);
    }
  }
  /**
   * Sets a path pattern for an existing config
   * @param config The existing configuration
   * @param pathPattern The path pattern to set
   * @returns Boolean indicating if the config was found and updated
   */
  public setPathPattern(
    config: tsclass.network.IReverseProxyConfig, 
    pathPattern: string
  ): boolean {
    const exists = this.reverseProxyConfigs.includes(config);
    if (exists) {
      this.pathPatterns.set(config, pathPattern);
      return true;
    }
    return false;
  }
  /**
   * Removes a proxy configuration by hostname
   * @param hostname The hostname to remove
   * @returns Boolean indicating whether any configs were removed
   */
  public removeProxyConfig(hostname: string): boolean {
    const initialCount = this.reverseProxyConfigs.length;
    // Find configs to remove
    const configsToRemove = this.reverseProxyConfigs.filter(
      config => config.hostName === hostname
    );
    // Remove them from the patterns map
    for (const config of configsToRemove) {
      this.pathPatterns.delete(config);
    }
    // Filter them out of the configs array
    this.reverseProxyConfigs = this.reverseProxyConfigs.filter(
      config => config.hostName !== hostname
    );
    return this.reverseProxyConfigs.length !== initialCount;
  }
 }
--- a/ts/smartproxy.classes.sslredirect.ts
+++ b/ts/smartproxy.classes.sslredirect.ts
@ -1,4 +1,4 @@
-import * as plugins from './smartproxy.plugins.js';
+import * as plugins from './plugins.js';
 export class SslRedirect {
  httpServer: plugins.http.Server;
--- a/ts/smartproxy.helpers.certificates.ts
+++ b/ts/smartproxy.helpers.certificates.ts
--- a/ts/index.ts
+++ b/ts/index.ts
@ -1,3 +1,5 @@
-export * from './smartproxy.classes.networkproxy.js';
+export * from './classes.iptablesproxy.js';
-export * from './smartproxy.portproxy.js';
+export * from './classes.networkproxy.js';
-export * from './smartproxy.classes.sslredirect.js';
+export * from './classes.portproxy.js';
 export * from './classes.port80handler.js';
 export * from './classes.sslredirect.js';
--- a/ts/smartproxy.plugins.ts
+++ b/ts/smartproxy.plugins.ts
@ -1,10 +1,13 @@
 // node native scope
 import { EventEmitter } from 'events';
 import * as http from 'http';
 import * as https from 'https';
 import * as net from 'net';
 import * as tls from 'tls';
 import * as url from 'url';
-export { http, https, net, url };
+
 export { EventEmitter, http, https, net, tls, url };
 // tsclass scope
 import * as tsclass from '@tsclass/tsclass';
@ -21,7 +24,10 @@ import * as smartstring from '@push.rocks/smartstring';
 export { lik, smartdelay, smartrequest, smartpromise, smartstring };
 // third party scope
 import * as acme from 'acme-client';
 import prettyMs from 'pretty-ms';
 import * as ws from 'ws';
 import wsDefault from 'ws';
 import { minimatch } from 'minimatch';
-export { wsDefault, ws };
+export { acme, prettyMs, ws, wsDefault, minimatch };
--- a/ts/smartproxy.classes.networkproxy.ts
+++ b/ts/smartproxy.classes.networkproxy.ts
@ -1,369 +0,0 @@
 import * as plugins from './smartproxy.plugins.js';
 import { ProxyRouter } from './smartproxy.classes.router.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';
 export interface INetworkProxyOptions {
  port: number;
 }
 interface IWebSocketWithHeartbeat extends plugins.wsDefault {
  lastPong: number;
 }
 export class NetworkProxy {
  public options: INetworkProxyOptions;
  public proxyConfigs: plugins.tsclass.network.IReverseProxyConfig[] = [];
  public httpsServer: plugins.https.Server;
  public router = new ProxyRouter();
  public socketMap = new plugins.lik.ObjectMap<plugins.net.Socket>();
  public defaultHeaders: { [key: string]: string } = {};
  public heartbeatInterval: NodeJS.Timeout;
  private defaultCertificates: { key: string; cert: string };
  public alreadyAddedReverseConfigs: {
    [hostName: string]: plugins.tsclass.network.IReverseProxyConfig;
  } = {};
  constructor(optionsArg: INetworkProxyOptions) {
    this.options = optionsArg;
    const __dirname = path.dirname(fileURLToPath(import.meta.url));
    const certPath = path.join(__dirname, '..', 'assets', 'certs');
    try {
      this.defaultCertificates = {
        key: fs.readFileSync(path.join(certPath, 'key.pem'), 'utf8'),
        cert: fs.readFileSync(path.join(certPath, 'cert.pem'), 'utf8')
      };
    } catch (error) {
      console.error('Error loading certificates:', error);
      throw error;
    }
  }
  public async start() {
    // Instead of marking the callback async (which Node won't await),
    // we call our async handler and catch errors.
    this.httpsServer = plugins.https.createServer(
      {
        key: this.defaultCertificates.key,
        cert: this.defaultCertificates.cert
      },
      (originRequest, originResponse) => {
        this.handleRequest(originRequest, originResponse).catch((error) => {
          console.error('Unhandled error in request handler:', error);
          try {
            originResponse.end();
          } catch (err) {
            // ignore errors during cleanup
          }
        });
      },
    );
    // Enable websockets
    const wsServer = new plugins.ws.WebSocketServer({ server: this.httpsServer });
    // Set up the heartbeat interval
    this.heartbeatInterval = setInterval(() => {
      wsServer.clients.forEach((ws: plugins.wsDefault) => {
        const wsIncoming = ws as IWebSocketWithHeartbeat;
        if (!wsIncoming.lastPong) {
          wsIncoming.lastPong = Date.now();
        }
        if (Date.now() - wsIncoming.lastPong > 5 * 60 * 1000) {
          console.log('Terminating websocket due to missing pong for 5 minutes.');
          wsIncoming.terminate();
        } else {
          wsIncoming.ping();
        }
      });
    }, 60000); // runs every 1 minute
    wsServer.on(
      'connection',
      (wsIncoming: IWebSocketWithHeartbeat, reqArg: plugins.http.IncomingMessage) => {
        console.log(
          `wss proxy: got connection for wsc for https://${reqArg.headers.host}${reqArg.url}`,
        );
        wsIncoming.lastPong = Date.now();
        wsIncoming.on('pong', () => {
          wsIncoming.lastPong = Date.now();
        });
        let wsOutgoing: plugins.wsDefault;
        const outGoingDeferred = plugins.smartpromise.defer();
        // --- Improvement 2: Only call routeReq once ---
        const wsDestinationConfig = this.router.routeReq(reqArg);
        if (!wsDestinationConfig) {
          wsIncoming.terminate();
          return;
        }
        try {
          wsOutgoing = new plugins.wsDefault(
            `ws://${wsDestinationConfig.destinationIp}:${wsDestinationConfig.destinationPort}${reqArg.url}`,
          );
          console.log('wss proxy: initiated outgoing proxy');
          wsOutgoing.on('open', async () => {
            outGoingDeferred.resolve();
          });
        } catch (err) {
          console.error('Error initiating outgoing WebSocket:', err);
          wsIncoming.terminate();
          return;
        }
        wsIncoming.on('message', async (message, isBinary) => {
          try {
            await outGoingDeferred.promise;
            wsOutgoing.send(message, { binary: isBinary });
          } catch (error) {
            console.error('Error sending message to wsOutgoing:', error);
          }
        });
        wsOutgoing.on('message', async (message, isBinary) => {
          try {
            wsIncoming.send(message, { binary: isBinary });
          } catch (error) {
            console.error('Error sending message to wsIncoming:', error);
          }
        });
        const terminateWsOutgoing = () => {
          if (wsOutgoing) {
            wsOutgoing.terminate();
            console.log('Terminated outgoing ws.');
          }
        };
        wsIncoming.on('error', terminateWsOutgoing);
        wsIncoming.on('close', terminateWsOutgoing);
        const terminateWsIncoming = () => {
          if (wsIncoming) {
            wsIncoming.terminate();
            console.log('Terminated incoming ws.');
          }
        };
        wsOutgoing.on('error', terminateWsIncoming);
        wsOutgoing.on('close', terminateWsIncoming);
      },
    );
    this.httpsServer.keepAliveTimeout = 600 * 1000;
    this.httpsServer.headersTimeout = 600 * 1000;
    this.httpsServer.on('connection', (connection: plugins.net.Socket) => {
      this.socketMap.add(connection);
      console.log(`Added connection. Now ${this.socketMap.getArray().length} sockets connected.`);
      const cleanupConnection = () => {
        if (this.socketMap.checkForObject(connection)) {
          this.socketMap.remove(connection);
          console.log(`Removed connection. ${this.socketMap.getArray().length} sockets remaining.`);
          connection.destroy();
        }
      };
      connection.on('close', cleanupConnection);
      connection.on('error', cleanupConnection);
      connection.on('end', cleanupConnection);
      connection.on('timeout', cleanupConnection);
    });
    this.httpsServer.listen(this.options.port);
    console.log(
      `NetworkProxy -> OK: now listening for new connections on port ${this.options.port}`,
    );
  }
  /**
   * Internal async handler for processing HTTP/HTTPS requests.
   */
  private async handleRequest(
    originRequest: plugins.http.IncomingMessage,
    originResponse: plugins.http.ServerResponse,
  ): Promise<void> {
    const endOriginReqRes = (
      statusArg: number = 404,
      messageArg: string = 'This route is not available on this server.',
      headers: plugins.http.OutgoingHttpHeaders = {},
    ) => {
      originResponse.writeHead(statusArg, messageArg);
      originResponse.end(messageArg);
      if (originRequest.socket !== originResponse.socket) {
        console.log('hey, something is strange.');
      }
      originResponse.destroy();
    };
    console.log(
      `got request: ${originRequest.headers.host}${plugins.url.parse(originRequest.url).path}`,
    );
    const destinationConfig = this.router.routeReq(originRequest);
    if (!destinationConfig) {
      console.log(
        `${originRequest.headers.host} can't be routed properly. Terminating request.`,
      );
      endOriginReqRes();
      return;
    }
    // authentication
    if (destinationConfig.authentication) {
      const authInfo = destinationConfig.authentication;
      switch (authInfo.type) {
        case 'Basic': {
          const authHeader = originRequest.headers.authorization;
          if (!authHeader) {
            return endOriginReqRes(401, 'Authentication required', {
              'WWW-Authenticate': 'Basic realm="Access to the staging site", charset="UTF-8"',
            });
          }
          if (!authHeader.includes('Basic ')) {
            return endOriginReqRes(401, 'Authentication required', {
              'WWW-Authenticate': 'Basic realm="Access to the staging site", charset="UTF-8"',
            });
          }
          const authStringBase64 = authHeader.replace('Basic ', '');
          const authString: string = plugins.smartstring.base64.decode(authStringBase64);
          const userPassArray = authString.split(':');
          const user = userPassArray[0];
          const pass = userPassArray[1];
          if (user === authInfo.user && pass === authInfo.pass) {
            console.log('Request successfully authenticated');
          } else {
            return endOriginReqRes(403, 'Forbidden: Wrong credentials');
          }
          break;
        }
        default:
          return endOriginReqRes(
            403,
            'Forbidden: unsupported authentication method configured. Please report to the admin.',
          );
      }
    }
    let destinationUrl: string;
    if (destinationConfig) {
      destinationUrl = `http://${destinationConfig.destinationIp}:${destinationConfig.destinationPort}${originRequest.url}`;
    } else {
      return endOriginReqRes();
    }
    console.log(destinationUrl);
    try {
      const proxyResponse = await plugins.smartrequest.request(
        destinationUrl,
        {
          method: originRequest.method,
          headers: {
            ...originRequest.headers,
            'X-Forwarded-Host': originRequest.headers.host,
            'X-Forwarded-Proto': 'https',
          },
          keepAlive: true,
        },
        true, // streaming (keepAlive)
        (proxyRequest) => {
          originRequest.on('data', (data) => {
            proxyRequest.write(data);
          });
          originRequest.on('end', () => {
            proxyRequest.end();
          });
          originRequest.on('error', () => {
            proxyRequest.end();
          });
          originRequest.on('close', () => {
            proxyRequest.end();
          });
          originRequest.on('timeout', () => {
            proxyRequest.end();
            originRequest.destroy();
          });
          proxyRequest.on('error', () => {
            endOriginReqRes();
          });
        },
      );
      originResponse.statusCode = proxyResponse.statusCode;
      console.log(proxyResponse.statusCode);
      for (const defaultHeader of Object.keys(this.defaultHeaders)) {
        originResponse.setHeader(defaultHeader, this.defaultHeaders[defaultHeader]);
      }
      for (const header of Object.keys(proxyResponse.headers)) {
        originResponse.setHeader(header, proxyResponse.headers[header]);
      }
      proxyResponse.on('data', (data) => {
        originResponse.write(data);
      });
      proxyResponse.on('end', () => {
        originResponse.end();
      });
      proxyResponse.on('error', () => {
        originResponse.destroy();
      });
      proxyResponse.on('close', () => {
        originResponse.end();
      });
      proxyResponse.on('timeout', () => {
        originResponse.end();
        originResponse.destroy();
      });
    } catch (error) {
      console.error('Error while processing request:', error);
      endOriginReqRes(502, 'Bad Gateway: Error processing the request');
    }
  }
  public async updateProxyConfigs(
    proxyConfigsArg: plugins.tsclass.network.IReverseProxyConfig[],
  ) {
    console.log(`got new proxy configs`);
    this.proxyConfigs = proxyConfigsArg;
    this.router.setNewProxyConfigs(proxyConfigsArg);
    for (const hostCandidate of this.proxyConfigs) {
      const existingHostNameConfig = this.alreadyAddedReverseConfigs[hostCandidate.hostName];
      if (!existingHostNameConfig) {
        this.alreadyAddedReverseConfigs[hostCandidate.hostName] = hostCandidate;
      } else {
        if (
          existingHostNameConfig.publicKey === hostCandidate.publicKey &&
          existingHostNameConfig.privateKey === hostCandidate.privateKey
        ) {
          continue;
        } else {
          this.alreadyAddedReverseConfigs[hostCandidate.hostName] = hostCandidate;
        }
      }
      this.httpsServer.addContext(hostCandidate.hostName, {
        cert: hostCandidate.publicKey,
        key: hostCandidate.privateKey,
      });
    }
  }
  public async addDefaultHeaders(headersArg: { [key: string]: string }) {
    for (const headerKey of Object.keys(headersArg)) {
      this.defaultHeaders[headerKey] = headersArg[headerKey];
    }
  }
  public async stop() {
    const done = plugins.smartpromise.defer();
    this.httpsServer.close(() => {
      done.resolve();
    });
    for (const socket of this.socketMap.getArray()) {
      socket.destroy();
    }
    await done.promise;
    clearInterval(this.heartbeatInterval);
    console.log('NetworkProxy -> OK: Server has been stopped and all connections closed.');
  }
 }
--- a/ts/smartproxy.classes.router.ts
+++ b/ts/smartproxy.classes.router.ts
@ -1,33 +0,0 @@
 import * as plugins from './smartproxy.plugins.js';
 export class ProxyRouter {
  public reverseProxyConfigs: plugins.tsclass.network.IReverseProxyConfig[] = [];
  /**
   * sets a new set of reverse configs to be routed to
   * @param reverseCandidatesArg
   */
  public setNewProxyConfigs(reverseCandidatesArg: plugins.tsclass.network.IReverseProxyConfig[]) {
    this.reverseProxyConfigs = reverseCandidatesArg;
  }
  /**
   * routes a request
   */
  public routeReq(req: plugins.http.IncomingMessage): plugins.tsclass.network.IReverseProxyConfig {
    const originalHost = req.headers.host;
    if (!originalHost) {
      console.error('No host header found in request');
      return undefined;
    }
    // Strip port from host if present
    const hostWithoutPort = originalHost.split(':')[0];
    const correspodingReverseProxyConfig = this.reverseProxyConfigs.find((reverseConfig) => {
      return reverseConfig.hostName === hostWithoutPort;
    });
    if (!correspodingReverseProxyConfig) {
      console.error(`No config found for host: ${hostWithoutPort}`);
    }
    return correspodingReverseProxyConfig;
  }
 }
--- a/ts/smartproxy.portproxy.ts
+++ b/ts/smartproxy.portproxy.ts
@ -1,70 +0,0 @@
 import * as plugins from './smartproxy.plugins.js';
 import * as net from 'net';
 export class PortProxy {
  netServer: plugins.net.Server;
  fromPort: number;
  toPort: number;
  constructor(fromPortArg: number, toPortArg: number) {
    this.fromPort = fromPortArg;
    this.toPort = toPortArg;
  }
  public async start() {
    const cleanUpSockets = (from: plugins.net.Socket, to: plugins.net.Socket) => {
      from.end();
      to.end();
      from.removeAllListeners();
      to.removeAllListeners();
      from.unpipe();
      to.unpipe();
      from.destroy();
      to.destroy();
    };
    this.netServer = net
      .createServer((from) => {
        const to = net.createConnection({
          host: 'localhost',
          port: this.toPort,
        });
        from.setTimeout(120000);
        from.pipe(to);
        to.pipe(from);
        from.on('error', () => {
          cleanUpSockets(from, to);
        });
        to.on('error', () => {
          cleanUpSockets(from, to);
        });
        from.on('close', () => {
          cleanUpSockets(from, to);
        });
        to.on('close', () => {
          cleanUpSockets(from, to);
        });
        from.on('timeout', () => {
          cleanUpSockets(from, to);
        });
        to.on('timeout', () => {
          cleanUpSockets(from, to);
        });
        from.on('end', () => {
          cleanUpSockets(from, to);
        });
        to.on('end', () => {
          cleanUpSockets(from, to);
        });
      })
      .listen(this.fromPort);
    console.log(`PortProxy -> OK: Now listening on port ${this.fromPort}`);
  }
  public async stop() {
    const done = plugins.smartpromise.defer();
    this.netServer.close(() => {
      done.resolve();
    });
    await done.promise;
  }
 }
Author	SHA1	Message	Date
Philipp Kunz	d6027c11c1	3.29.0 Some checks failed Default (tags) / security (push) Successful in 39s Details Default (tags) / test (push) Failing after 49s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-07 14:30:38 +00:00
Philipp Kunz	bbdea52677	feat(IPTablesProxy): Enhanced IPTablesProxy with multi-port and IPv6 support	2025-03-07 14:30:38 +00:00
Philipp Kunz	d8585975a8	3.28.6 Some checks failed Default (tags) / security (push) Successful in 39s Details Default (tags) / test (push) Failing after 49s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-07 11:16:45 +00:00
Philipp Kunz	98c61cccbb	fix(PortProxy): Adjust default timeout settings and enhance keep-alive connection handling in PortProxy.	2025-03-07 11:16:44 +00:00
Philipp Kunz	b3dcc0ae22	3.28.5	2025-03-07 02:55:19 +00:00
Philipp Kunz	b96d7dec98	fix(core): Ensure proper resource cleanup during server shutdown.	2025-03-07 02:55:19 +00:00
Philipp Kunz	0d0a1c740b	3.28.4	2025-03-07 02:54:34 +00:00
Philipp Kunz	9bd87b8437	fix(router): Improve path pattern matching and hostname prioritization in router	2025-03-07 02:54:34 +00:00
Philipp Kunz	0e281b3243	3.28.3	2025-03-06 23:08:57 +00:00
Philipp Kunz	a14b7802c4	fix(PortProxy): Ensure timeout values are within Node.js safe limits	2025-03-06 23:08:57 +00:00
Philipp Kunz	138900ca8b	3.28.2	2025-03-06 23:00:24 +00:00
Philipp Kunz	cb6c2503e2	fix(portproxy): Adjust safe timeout defaults in PortProxy to prevent overflow issues.	2025-03-06 23:00:24 +00:00
Philipp Kunz	f3fd903231	3.28.1	2025-03-06 22:56:19 +00:00
Philipp Kunz	0e605d9a9d	fix(PortProxy): Improved code formatting and readability in PortProxy class by adjusting spacing and comments.	2025-03-06 22:56:18 +00:00
Philipp Kunz	1718a3b2f2	3.28.0	2025-03-06 08:36:19 +00:00
Philipp Kunz	568f77e65b	feat(router): Add detailed routing tests and refactor ProxyRouter for improved path matching	2025-03-06 08:36:19 +00:00
Philipp Kunz	e212dacbf3	3.27.0	2025-03-06 08:27:44 +00:00
Philipp Kunz	eea8942670	feat(AcmeCertManager): Introduce AcmeCertManager for enhanced ACME certificate management	2025-03-06 08:27:44 +00:00
Philipp Kunz	0574331b91	3.26.0	2025-03-05 18:47:38 +00:00
Philipp Kunz	06e6c2eb52	feat(readme): Updated README with enhanced TLS handling, connection management, and troubleshooting sections.	2025-03-05 18:47:38 +00:00
Philipp Kunz	edd9db31c2	3.25.4	2025-03-05 18:40:42 +00:00
Philipp Kunz	d4251b2cf9	fix(portproxy): Improve connection timeouts and detailed logging for PortProxy	2025-03-05 18:40:42 +00:00
Philipp Kunz	4ccc1db8a2	3.25.3	2025-03-05 18:25:01 +00:00
Philipp Kunz	7e3ed93bc9	fix(core): Update dependencies and configuration improvements.	2025-03-05 18:25:01 +00:00
Philipp Kunz	fa793f2c4a	3.25.2	2025-03-05 18:24:28 +00:00
Philipp Kunz	fe8106f0c8	fix(PortProxy): Adjust timeout settings and handle inactivity properly in PortProxy.	2025-03-05 18:24:28 +00:00
Philipp Kunz	b317ab8b3a	3.25.1	2025-03-05 18:07:40 +00:00
Philipp Kunz	4fd5524a0f	fix(PortProxy): Adjust inactivity threshold to a random value between 20 and 30 minutes for better variability	2025-03-05 18:07:39 +00:00
Philipp Kunz	2013d03ac6	3.25.0	2025-03-05 17:46:26 +00:00
Philipp Kunz	0e888c5add	feat(PortProxy): Enhanced PortProxy with detailed logging, protocol detection, and rate limiting.	2025-03-05 17:46:25 +00:00
Philipp Kunz	7f891a304c	3.24.0	2025-03-05 17:06:51 +00:00
Philipp Kunz	f6cc665f12	feat(core): Enhance core functionalities and test coverage for NetworkProxy and PortProxy	2025-03-05 17:06:51 +00:00
Philipp Kunz	48c5ea3b1d	3.23.1	2025-03-05 14:33:10 +00:00
Philipp Kunz	bd9292bf47	fix(PortProxy): Enhanced connection setup to handle pending data buffering before establishing outgoing connection	2025-03-05 14:33:09 +00:00
Philipp Kunz	6532e6f0e0	3.23.0	2025-03-03 03:18:49 +00:00
Philipp Kunz	8791da83b4	feat(documentation): Updated documentation with architecture flow diagrams.	2025-03-03 03:18:49 +00:00
Philipp Kunz	9ad08edf79	3.22.5	2025-03-03 03:05:50 +00:00
Philipp Kunz	c0de8c59a2	fix(documentation): Refactored readme for clarity and consistency, fixed documentation typos	2025-03-03 03:05:49 +00:00
Philipp Kunz	3748689c16	3.22.4	2025-03-03 02:16:48 +00:00
Philipp Kunz	d0b3139fda	fix(core): Addressed minor issues in the core modules to improve stability and performance.	2025-03-03 02:16:48 +00:00
Philipp Kunz	fd4f731ada	3.22.3	2025-03-03 02:14:22 +00:00
Philipp Kunz	ced9b5b27b	fix(core): Improve connection management and error handling in PortProxy	2025-03-03 02:14:21 +00:00
Philipp Kunz	eb70a86304	3.22.2	2025-03-03 02:03:24 +00:00
Philipp Kunz	131d9d326e	fix(portproxy): Refactored connection cleanup logic in PortProxy	2025-03-03 02:03:24 +00:00
Philipp Kunz	12de96a7d5	3.22.1	2025-03-03 01:57:52 +00:00
Philipp Kunz	296e1fcdc7	fix(PortProxy): Fix connection timeout and IP validation handling for PortProxy	2025-03-03 01:57:52 +00:00
Philipp Kunz	8459e4013c	3.22.0	2025-03-03 01:50:30 +00:00
Philipp Kunz	191c8ac0e6	feat(classes.portproxy): Enhanced PortProxy to support initial data timeout and improved IP handling	2025-03-03 01:50:30 +00:00
Philipp Kunz	3ab483d164	3.21.0	2025-03-03 01:42:16 +00:00
Philipp Kunz	fcd80dc56b	feat(PortProxy): Enhancements to connection management in PortProxy	2025-03-03 01:42:16 +00:00
Philipp Kunz	8ddffcd6e5	3.20.2	2025-03-01 20:31:50 +00:00
Philipp Kunz	a5a7781c17	fix(PortProxy): Enhance connection cleanup handling in PortProxy	2025-03-01 20:31:50 +00:00
Philipp Kunz	d647e77cdf	3.20.1	2025-03-01 17:32:31 +00:00
Philipp Kunz	9161336197	fix(PortProxy): Improve IP allowance check for forced domains	2025-03-01 17:32:31 +00:00
Philipp Kunz	2e63d13dd4	3.20.0	2025-03-01 17:19:27 +00:00
Philipp Kunz	af6ed735d5	feat(PortProxy): Enhance PortProxy with advanced connection cleanup and logging	2025-03-01 17:19:27 +00:00
Philipp Kunz	7d38f29ef3	3.19.0	2025-03-01 13:17:05 +00:00
Philipp Kunz	0df26d4367	feat(PortProxy): Enhance PortProxy with default blocked IPs	2025-03-01 13:17:05 +00:00
Philipp Kunz	f9a6e2d748	3.18.2	2025-02-27 21:25:03 +00:00
Philipp Kunz	1cb6302750	fix(portproxy): Fixed typographical errors in comments within PortProxy class.	2025-02-27 21:25:03 +00:00
Philipp Kunz	f336f25535	3.18.1	2025-02-27 21:19:34 +00:00
Philipp Kunz	5d6b707440	fix(PortProxy): Refactor and enhance PortProxy test cases and handling	2025-02-27 21:19:34 +00:00
Philipp Kunz	622ad2ff20	3.18.0	2025-02-27 20:59:29 +00:00
Philipp Kunz	dd23efd28d	feat(PortProxy): Add SNI-based renegotiation handling in PortProxy	2025-02-27 20:59:29 +00:00
Philipp Kunz	0ddf68a919	3.17.1	2025-02-27 20:10:26 +00:00
Philipp Kunz	ec08ca51f5	fix(PortProxy): Fix handling of SNI re-negotiation in PortProxy	2025-02-27 20:10:26 +00:00
Philipp Kunz	29688d1379	3.17.0	2025-02-27 19:57:28 +00:00
Philipp Kunz	c83f6fa278	feat(smartproxy): Enhance description clarity and improve SNI handling with domain locking.	2025-02-27 19:57:27 +00:00
Philipp Kunz	60333b0a59	3.16.9	2025-02-27 15:46:14 +00:00
Philipp Kunz	1aa409907b	fix(portproxy): Extend domain input validation to support string arrays in port proxy configurations.	2025-02-27 15:46:14 +00:00
Philipp Kunz	adee6afc76	3.16.8	2025-02-27 15:41:03 +00:00
Philipp Kunz	4a0792142f	fix(PortProxy): Fix IP filtering for domain and global default allowed lists and improve port-based routing logic.	2025-02-27 15:41:03 +00:00
Philipp Kunz	f1b810a4fa	3.16.7	2025-02-27 15:32:06 +00:00
Philipp Kunz	96b5877c5f	fix(PortProxy): Improved IP validation logic in PortProxy to ensure correct domain matching and fallback	2025-02-27 15:32:06 +00:00
Philipp Kunz	6d627f67f7	3.16.6	2025-02-27 15:30:20 +00:00
Philipp Kunz	9af968b8e7	fix(PortProxy): Optimize connection cleanup logic in PortProxy by removing unnecessary delays.	2025-02-27 15:30:20 +00:00
Philipp Kunz	b3ba0c21e8	3.16.5	2025-02-27 15:05:38 +00:00
Philipp Kunz	ef707a5870	fix(PortProxy): Improved connection cleanup process with added asynchronous delays	2025-02-27 15:05:38 +00:00
Philipp Kunz	6ca14edb38	3.16.4	2025-02-27 14:23:44 +00:00
Philipp Kunz	5a5686b6b9	fix(PortProxy): Fix and enhance port proxy handling	2025-02-27 14:23:44 +00:00
Philipp Kunz	2080f419cb	3.16.3	2025-02-27 13:04:01 +00:00
Philipp Kunz	659aae297b	fix(PortProxy): Refactored PortProxy to support multiple listening ports and improved modularity.	2025-02-27 13:04:01 +00:00
Philipp Kunz	fcd0f61b5c	3.16.2	2025-02-27 12:54:15 +00:00
Philipp Kunz	7ee35a98e3	fix(PortProxy): Fix port-based routing logic in PortProxy	2025-02-27 12:54:14 +00:00
Philipp Kunz	ea0f6d2270	3.16.1	2025-02-27 12:42:50 +00:00
Philipp Kunz	621ad9e681	fix(core): Updated minor version numbers in dependencies for patch release.	2025-02-27 12:42:50 +00:00
Philipp Kunz	7cea5773ee	3.16.0	2025-02-27 12:41:20 +00:00
Philipp Kunz	a2cb56ba65	feat(PortProxy): Enhancements made to PortProxy settings and capabilities	2025-02-27 12:41:20 +00:00
Philipp Kunz	408b793149	3.15.0	2025-02-27 12:25:48 +00:00
Philipp Kunz	f6c3d2d3d0	feat(classes.portproxy): Add support for port range-based routing with enhanced IP and port validation.	2025-02-27 12:25:48 +00:00
Philipp Kunz	422eb5ec40	3.14.2	2025-02-26 19:00:09 +00:00
Philipp Kunz	45390c4389	fix(PortProxy): Fix cleanup timer reset for PortProxy	2025-02-26 19:00:09 +00:00
Philipp Kunz	0f2e6d688c	3.14.1	2025-02-26 12:56:00 +00:00
Philipp Kunz	3bd7b70c19	fix(PortProxy): Increased default maxConnectionLifetime for PortProxy to 600000 ms	2025-02-26 12:56:00 +00:00
Philipp Kunz	07a82a09be	3.14.0	2025-02-26 10:29:21 +00:00
Philipp Kunz	23253a2731	feat(PortProxy): Introduce max connection lifetime feature	2025-02-26 10:29:21 +00:00
Philipp Kunz	be31a9b553	3.13.0	2025-02-25 00:56:02 +00:00
Philipp Kunz	a1051f78e8	feat(core): Add support for tagging iptables rules with comments and cleaning them up on process exit	2025-02-25 00:56:01 +00:00
Philipp Kunz	aa756bd698	3.12.0	2025-02-24 23:27:48 +00:00
Philipp Kunz	ff4f44d6fc	feat(IPTablesProxy): Introduce IPTablesProxy class for managing iptables NAT rules	2025-02-24 23:27:48 +00:00
Philipp Kunz	63ebad06ea	3.11.0	2025-02-24 10:00:57 +00:00
Philipp Kunz	31e15b65ec	feat(Port80Handler): Add automatic certificate issuance with ACME client	2025-02-24 10:00:57 +00:00
Philipp Kunz	266895ccc5	3.10.5	2025-02-24 09:53:39 +00:00
Philipp Kunz	dc3d56771b	fix(portproxy): Fix incorrect import path in test file	2025-02-24 09:53:39 +00:00
Philipp Kunz	38601a41bb	3.10.4	2025-02-23 17:38:23 +00:00
Philipp Kunz	a53e6f1019	fix(PortProxy): Refactor connection tracking to utilize unified records in PortProxy	2025-02-23 17:38:22 +00:00
Philipp Kunz	3de35f3b2c	3.10.3	2025-02-23 17:30:41 +00:00
Philipp Kunz	b9210d891e	fix(PortProxy): Refactor and optimize PortProxy for improved readability and maintainability	2025-02-23 17:30:41 +00:00
Philipp Kunz	133d5a47e0	3.10.2	2025-02-23 11:43:21 +00:00
Philipp Kunz	f2f4e47893	fix(PortProxy): Fix connection handling to include timeouts for SNI-enabled connections.	2025-02-23 11:43:21 +00:00
Philipp Kunz	e47436608f	3.10.1	2025-02-22 13:22:26 +00:00
Philipp Kunz	128f8203ac	fix(PortProxy): Improve socket cleanup logic to prevent potential resource leaks	2025-02-22 13:22:26 +00:00
Philipp Kunz	c7697eca84	3.10.0	2025-02-22 05:46:30 +00:00
Philipp Kunz	71b5237cd4	feat(smartproxy.portproxy): Enhance PortProxy with detailed connection statistics and termination tracking	2025-02-22 05:46:30 +00:00
Philipp Kunz	2df2f0ceaf	3.9.4	2025-02-22 05:41:29 +00:00
Philipp Kunz	2b266ca779	fix(PortProxy): Ensure proper cleanup on connection rejection in PortProxy	2025-02-22 05:41:29 +00:00
Philipp Kunz	c2547036fd	3.9.3	2025-02-21 23:57:54 +00:00
Philipp Kunz	a8131ece26	fix(PortProxy): Fix handling of optional outgoing socket in PortProxy	2025-02-21 23:57:54 +00:00
Philipp Kunz	ad8c667dec	3.9.2	2025-02-21 23:33:16 +00:00
Philipp Kunz	942e0649c8	fix(PortProxy): Improve timeout handling for port proxy connections	2025-02-21 23:33:15 +00:00
Philipp Kunz	59625167b4	3.9.1	2025-02-21 23:30:51 +00:00
Philipp Kunz	385d984727	fix(dependencies): Ensure correct ordering of dependencies and improve logging format.	2025-02-21 23:30:51 +00:00
Philipp Kunz	a959c2ad0e	3.9.0	2025-02-21 23:18:17 +00:00
Philipp Kunz	88f5436c9a	feat(smartproxy.portproxy): Add logging of connection durations to PortProxy	2025-02-21 23:18:17 +00:00
Philipp Kunz	06101cd1b1	3.8.1	2025-02-21 23:11:14 +00:00
Philipp Kunz	438d65107d	fix(plugins): Simplified plugin import structure across codebase	2025-02-21 23:11:13 +00:00
Philipp Kunz	233b26c308	3.8.0	2025-02-21 23:05:18 +00:00
Philipp Kunz	ba787729e8	feat(PortProxy): Add active connection tracking and logging in PortProxy	2025-02-21 23:05:17 +00:00
Philipp Kunz	4854d7c38d	3.7.3	2025-02-21 20:17:35 +00:00
Philipp Kunz	e841bda003	fix(portproxy): Fix handling of connections in PortProxy to improve stability and performance.	2025-02-21 20:17:35 +00:00
Philipp Kunz	477b930a37	3.7.2	2025-02-21 19:56:28 +00:00
Philipp Kunz	935bd95723	fix(PortProxy): Improve SNICallback and connection handling in PortProxy	2025-02-21 19:56:28 +00:00
Philipp Kunz	0e33ea4eb5	3.7.1	2025-02-21 19:53:20 +00:00
Philipp Kunz	6181065963	fix(smartproxy.portproxy): Optimize SNI handling by simplifying context creation	2025-02-21 19:53:19 +00:00
Philipp Kunz	1a586dcbd7	3.7.0	2025-02-21 19:44:59 +00:00
Philipp Kunz	ee03224561	feat(PortProxy): Add optional source IP preservation support in PortProxy	2025-02-21 19:44:59 +00:00
Philipp Kunz	483cbb3634	3.6.0	2025-02-21 19:39:52 +00:00
Philipp Kunz	c77b31b72c	feat(PortProxy): Add feature to preserve original client IP through chained proxies	2025-02-21 19:39:52 +00:00
Philipp Kunz	8cb8fa1a52	3.5.0	2025-02-21 19:34:11 +00:00
Philipp Kunz	8e5bb12edb	feat(PortProxy): Enhance PortProxy to support domain-specific target IPs	2025-02-21 19:34:11 +00:00
Philipp Kunz	9be9a426ad	3.4.4	2025-02-21 18:54:40 +00:00
Philipp Kunz	32d875aed9	fix(PortProxy): Fixed handling of SNI domain connections and IP allowance checks	2025-02-21 18:54:40 +00:00
Philipp Kunz	4747462cff	3.4.3	2025-02-21 18:48:39 +00:00
Philipp Kunz	70f69ef1ea	fix(PortProxy): Fixed indentation issue and ensured proper cleanup of sockets in PortProxy	2025-02-21 18:48:39 +00:00
Philipp Kunz	2be1c57dd7	3.4.2	2025-02-21 18:47:18 +00:00
Philipp Kunz	58bd6b4a85	fix(smartproxy): Enhance SSL/TLS handling with SNI and error logging	2025-02-21 18:47:18 +00:00
Philipp Kunz	63e1cd48e8	3.4.1	2025-02-21 18:43:08 +00:00
Philipp Kunz	5150ddc18e	fix(PortProxy): Normalize IP addresses for port proxy to handle IPv4-mapped IPv6 addresses.	2025-02-21 18:43:08 +00:00
Philipp Kunz	4bee483954	3.4.0	2025-02-21 17:01:02 +00:00
Philipp Kunz	4328d4365f	feat(PortProxy): Enhanced PortProxy with custom target host and improved testing	2025-02-21 17:01:02 +00:00
Philipp Kunz	21e9d0fd0d	3.3.1	2025-02-21 15:17:20 +00:00
Philipp Kunz	6c0c65bb1a	fix(PortProxy): fixed import usage of net and tls libraries for PortProxy	2025-02-21 15:17:19 +00:00
Philipp Kunz	23f61eb60b	3.3.0	2025-02-21 15:14:03 +00:00
Philipp Kunz	a4ad6c59c1	feat(PortProxy): Enhanced PortProxy with domain and IP filtering, SNI support, and minimatch integration	2025-02-21 15:14:02 +00:00