3.23.1

changelog.md

@@ -1,5 +1,54 @@
 # Changelog
 
+## 2025-03-05 - 3.23.1 - fix(PortProxy)
+Enhanced connection setup to handle pending data buffering before establishing outgoing connection
+
+- Introduced pending data buffering to address issues with data reception before outgoing connection is fully established.
+- Removed immediate data piping in favor of buffering to ensure complete initial data transfer.
+- Added temporary data handler to collect incoming data during connection setup for precise activity tracking.
+
+## 2025-03-03 - 3.23.0 - feat(documentation)
+Updated documentation with architecture flow diagrams.
+
+- Added detailed architecture and flow diagrams for SmartProxy components.
+- Included HTTPS Reverse Proxy Flow diagram.
+- Integrated Port Proxy with SNI-based Routing diagram.
+- Added Let's Encrypt Certificate Acquisition flow.
+
+## 2025-03-03 - 3.22.5 - fix(documentation)
+Refactored readme for clarity and consistency, fixed documentation typos
+
+- Updated readme to improve clarity and remove redundant information.
+- Fixed minor documentation issues in the code comments.
+- Reorganized readme structure for better readability.
+- Improved sample code snippets for easier understanding.
+
+## 2025-03-03 - 3.22.4 - fix(core)
+Addressed minor issues in the core modules to improve stability and performance.
+
+
+## 2025-03-03 - 3.22.3 - fix(core)
+Improve connection management and error handling in PortProxy
+
+- Refactored connection cleanup to handle errors more gracefully.
+- Introduced comprehensive comments for better code understanding.
+- Revised SNI data timeout logic for connection handling.
+- Enhanced logging and error reporting during connection management.
+- Improved inactivity checks and parity checks for existing connections.
+
+## 2025-03-03 - 3.22.2 - fix(portproxy)
+Refactored connection cleanup logic in PortProxy
+
+- Simplified the connection cleanup logic by removing redundant methods.
+- Consolidated the cleanup initiation and execution into a single cleanup method.
+- Improved error handling by ensuring connections are closed appropriately.
+
+## 2025-03-03 - 3.22.1 - fix(PortProxy)
+Fix connection timeout and IP validation handling for PortProxy
+
+- Adjusted initial data timeout setting for SNI-enabled connections in PortProxy.
+- Restored IP validation logic to original behavior, ensuring compatibility with domain configurations.
+
 ## 2025-03-03 - 3.22.0 - feat(classes.portproxy)
 Enhanced PortProxy to support initial data timeout and improved IP handling
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.22.0",
+  "version": "3.23.1",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
   "main": "dist_ts/index.js",

readme.md

@@ -1,228 +1,389 @@
 # @push.rocks/smartproxy
 
-A robust and versatile proxy package designed to handle high workloads, offering features like SSL redirection, port proxying, WebSocket support, and customizable routing and authentication.
+A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.
 
-## Install
+## Architecture & Flow Diagrams
 
-To install `@push.rocks/smartproxy`, run the following command in your project's root directory:
+### Component Architecture
+The diagram below illustrates the main components of SmartProxy and how they interact:
 
-```bash
-npm install @push.rocks/smartproxy --save
+```mermaid
+flowchart TB
+    Client([Client])
+    
+    subgraph "SmartProxy Components"
+        direction TB
+        HTTP80[HTTP Port 80\nSslRedirect]
+        HTTPS443[HTTPS Port 443\nNetworkProxy]
+        PortProxy[TCP Port Proxy\nwith SNI routing]
+        IPTables[IPTablesProxy]
+        Router[ProxyRouter]
+        ACME[Port80Handler\nACME/Let's Encrypt]
+        Certs[(SSL Certificates)]
+    end
+    
+    subgraph "Backend Services"
+        Service1[Service 1]
+        Service2[Service 2]
+        Service3[Service 3]
+    end
+    
+    Client -->|HTTP Request| HTTP80
+    HTTP80 -->|Redirect| Client
+    Client -->|HTTPS Request| HTTPS443
+    Client -->|TLS/TCP| PortProxy
+    
+    HTTPS443 -->|Route Request| Router
+    Router -->|Proxy Request| Service1
+    Router -->|Proxy Request| Service2
+    
+    PortProxy -->|Direct TCP| Service2
+    PortProxy -->|Direct TCP| Service3
+    
+    IPTables -.->|Low-level forwarding| PortProxy
+    
+    HTTP80 -.->|Challenge Response| ACME
+    ACME -.->|Generate/Manage| Certs
+    Certs -.->|Provide TLS Certs| HTTPS443
+    
+    classDef component fill:#f9f,stroke:#333,stroke-width:2px;
+    classDef backend fill:#bbf,stroke:#333,stroke-width:1px;
+    classDef client fill:#dfd,stroke:#333,stroke-width:2px;
+    
+    class Client client;
+    class HTTP80,HTTPS443,PortProxy,IPTables,Router,ACME component;
+    class Service1,Service2,Service3 backend;
 ```
 
-This will add `@push.rocks/smartproxy` to your project's dependencies.
+### HTTPS Reverse Proxy Flow
+This diagram shows how HTTPS requests are handled and proxied to backend services:
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant NetworkProxy
+    participant ProxyRouter
+    participant Backend
+    
+    Client->>NetworkProxy: HTTPS Request
+    
+    Note over NetworkProxy: TLS Termination
+    
+    NetworkProxy->>ProxyRouter: Route Request
+    ProxyRouter->>ProxyRouter: Match hostname to config
+    
+    alt Authentication Required
+        NetworkProxy->>Client: Request Authentication
+        Client->>NetworkProxy: Send Credentials
+        NetworkProxy->>NetworkProxy: Validate Credentials
+    end
+    
+    NetworkProxy->>Backend: Forward Request
+    Backend->>NetworkProxy: Response
+    
+    Note over NetworkProxy: Add Default Headers
+    
+    NetworkProxy->>Client: Forward Response
+    
+    alt WebSocket Request
+        Client->>NetworkProxy: Upgrade to WebSocket
+        NetworkProxy->>Backend: Upgrade to WebSocket
+        loop WebSocket Active
+            Client->>NetworkProxy: WebSocket Message
+            NetworkProxy->>Backend: Forward Message
+            Backend->>NetworkProxy: WebSocket Message
+            NetworkProxy->>Client: Forward Message
+            NetworkProxy-->>NetworkProxy: Heartbeat Check
+        end
+    end
+```
+
+### Port Proxy with SNI-based Routing
+This diagram illustrates how TCP connections with SNI (Server Name Indication) are processed and forwarded:
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant PortProxy
+    participant Backend
+    
+    Client->>PortProxy: TLS Connection
+    
+    alt SNI Enabled
+        PortProxy->>Client: Accept Connection
+        Client->>PortProxy: TLS ClientHello with SNI
+        PortProxy->>PortProxy: Extract SNI Hostname
+        PortProxy->>PortProxy: Match Domain Config
+        PortProxy->>PortProxy: Validate Client IP
+        
+        alt IP Allowed
+            PortProxy->>Backend: Forward Connection
+            Note over PortProxy,Backend: Bidirectional Data Flow
+        else IP Rejected
+            PortProxy->>Client: Close Connection
+        end
+    else Port-based Routing
+        PortProxy->>PortProxy: Match Port Range
+        PortProxy->>PortProxy: Find Domain Config
+        PortProxy->>PortProxy: Validate Client IP
+        
+        alt IP Allowed
+            PortProxy->>Backend: Forward Connection
+            Note over PortProxy,Backend: Bidirectional Data Flow
+        else IP Rejected
+            PortProxy->>Client: Close Connection
+        end
+    end
+    
+    loop Connection Active
+        PortProxy-->>PortProxy: Monitor Activity
+        PortProxy-->>PortProxy: Check Max Lifetime
+        alt Inactivity or Max Lifetime Exceeded
+            PortProxy->>Client: Close Connection
+            PortProxy->>Backend: Close Connection
+        end
+    end
+```
+
+### Let's Encrypt Certificate Acquisition
+This diagram shows how certificates are automatically acquired through the ACME protocol:
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant Port80Handler
+    participant ACME as Let's Encrypt ACME
+    participant NetworkProxy
+    
+    Client->>Port80Handler: HTTP Request for domain
+    
+    alt Certificate Exists
+        Port80Handler->>Client: Redirect to HTTPS
+    else No Certificate
+        Port80Handler->>Port80Handler: Mark domain as obtaining cert
+        Port80Handler->>ACME: Create account & new order
+        ACME->>Port80Handler: Challenge information
+        
+        Port80Handler->>Port80Handler: Store challenge token & key authorization
+        
+        ACME->>Port80Handler: HTTP-01 Challenge Request
+        Port80Handler->>ACME: Challenge Response
+        
+        ACME->>ACME: Validate domain ownership
+        ACME->>Port80Handler: Challenge validated
+        
+        Port80Handler->>Port80Handler: Generate CSR
+        Port80Handler->>ACME: Submit CSR
+        ACME->>Port80Handler: Issue Certificate
+        
+        Port80Handler->>Port80Handler: Store certificate & private key
+        Port80Handler->>Port80Handler: Mark certificate as obtained
+        
+        Note over Port80Handler,NetworkProxy: Certificate available for use
+        
+        Client->>Port80Handler: Another HTTP Request
+        Port80Handler->>Client: Redirect to HTTPS
+        Client->>NetworkProxy: HTTPS Request
+        Note over NetworkProxy: Uses new certificate
+    end
+```
+
+## Features
+
+- **HTTPS Reverse Proxy** - Route traffic to backend services based on hostname with TLS termination
+- **WebSocket Support** - Full WebSocket proxying with heartbeat monitoring
+- **TCP Port Forwarding** - Advanced port forwarding with SNI inspection and domain-based routing
+- **HTTP to HTTPS Redirection** - Automatically redirect HTTP requests to HTTPS
+- **Let's Encrypt Integration** - Automatic certificate management using ACME protocol
+- **IP Filtering** - Control access with IP allow/block lists using glob patterns
+- **IPTables Integration** - Direct manipulation of iptables for low-level port forwarding
+- **Basic Authentication** - Support for basic auth on proxied routes
+- **Connection Management** - Intelligent connection tracking and cleanup
+
+## Installation
+
+```bash
+npm install @push.rocks/smartproxy
+```
 
 ## Usage
 
-`@push.rocks/smartproxy` is a comprehensive package that provides advanced functionalities for handling proxy tasks efficiently, including SSL redirection, port proxying, WebSocket support, and dynamic routing with authentication capabilities. Here is an extensive guide on how to utilize these features effectively, ensuring robust and secure proxy operations.
-
-### Initial Setup
-
-Before exploring the advanced features of `smartproxy`, you need to set up a basic proxy server. This setup serves as the foundation for incorporating additional functionalities later on:
+### Basic Reverse Proxy Setup
 
 ```typescript
 import { NetworkProxy } from '@push.rocks/smartproxy';
 
-// Create an instance of NetworkProxy with the desired configuration
-const myNetworkProxy = new NetworkProxy({ port: 443 });
+// Create a reverse proxy listening on port 443
+const proxy = new NetworkProxy({
+  port: 443
+});
 
-// Define reverse proxy configurations for the domains you wish to proxy
+// Define reverse proxy configurations
 const proxyConfigs = [
   {
-    destinationIp: '127.0.0.1',
-    destinationPort: '3000',
     hostName: 'example.com',
-    privateKey: `-----BEGIN PRIVATE KEY-----
-PRIVATE_KEY_CONTENT
------END PRIVATE KEY-----`,
-    publicKey: `-----BEGIN CERTIFICATE-----
-CERTIFICATE_CONTENT
------END CERTIFICATE-----`,
+    destinationIp: '127.0.0.1',
+    destinationPort: 3000,
+    publicKey: 'your-cert-content',
+    privateKey: 'your-key-content'
   },
-  // Additional configurations can be added here
+  {
+    hostName: 'api.example.com',
+    destinationIp: '127.0.0.1',
+    destinationPort: 4000,
+    publicKey: 'your-cert-content',
+    privateKey: 'your-key-content',
+    // Optional basic auth
+    authentication: {
+      type: 'Basic',
+      user: 'admin',
+      pass: 'secret'
+    }
+  }
 ];
 
-// Start the network proxy to enable forwarding
-await myNetworkProxy.start();
-
-// Apply the configurations you defined earlier
-await myNetworkProxy.updateProxyConfigs(proxyConfigs);
-
-// Optionally, you can set default headers to be included in all responses
-await myNetworkProxy.addDefaultHeaders({
-  'X-Powered-By': 'smartproxy',
-});
+// Start the proxy and update configurations
+(async () => {
+  await proxy.start();
+  await proxy.updateProxyConfigs(proxyConfigs);
+  
+  // Add default headers to all responses
+  await proxy.addDefaultHeaders({
+    'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload'
+  });
+})();
 ```
 
-### Configuring SSL Redirection
-
-A critical feature of modern proxy servers is the ability to redirect HTTP traffic to secure HTTPS endpoints. The `SslRedirect` class in `smartproxy` simplifies this process by automatically redirecting requests from HTTP port 80 to HTTPS:
+### HTTP to HTTPS Redirection
 
 ```typescript
 import { SslRedirect } from '@push.rocks/smartproxy';
 
-// Create an SslRedirect instance to listen on port 80
-const mySslRedirect = new SslRedirect(80);
-
-// Start the redirect to enforce HTTPS
-await mySslRedirect.start();
-
-// To stop HTTP redirection, use the following command:
-await mySslRedirect.stop();
+// Create and start HTTP to HTTPS redirect service on port 80
+const redirector = new SslRedirect(80);
+redirector.start();
 ```
 
-### Managing Port Proxying
-
-Port proxying is essential for forwarding traffic from one port to another, an important feature for services that require dynamic port changes without downtime. Smartproxy's `PortProxy` class efficiently handles these scenarios:
+### TCP Port Forwarding with Domain-based Routing
 
 ```typescript
 import { PortProxy } from '@push.rocks/smartproxy';
 
-// Set up a PortProxy to forward traffic from port 5000 to 3000
-const myPortProxy = new PortProxy(5000, 3000);
-
-// Initiate the port proxy
-await myPortProxy.start();
-
-// To halt the port proxy, execute:
-await myPortProxy.stop();
-```
-
-For more intricate setups—such as forwarding based on specific domain rules or IP allowances—smartproxy allows detailed configurations:
-
-```typescript
-import { PortProxy } from '@push.rocks/smartproxy';
-
-// Configure complex port proxy rules
-const advancedPortProxy = new PortProxy({
-  fromPort: 6000,
-  toPort: 3000,
-  domains: [
+// Configure port proxy with domain-based routing
+const portProxy = new PortProxy({
+  fromPort: 443,
+  toPort: 8443,
+  targetIP: 'localhost', // Default target host
+  sniEnabled: true,      // Enable SNI inspection
+  globalPortRanges: [{ from: 443, to: 443 }],
+  defaultAllowedIPs: ['*'], // Allow all IPs by default
+  domainConfigs: [
     {
-      domain: 'api.example.com',
-      allowedIPs: ['192.168.0.*', '127.0.0.1'],
-      targetIP: '192.168.1.100'
+      domains: ['example.com', '*.example.com'], // Glob patterns for matching domains
+      allowedIPs: ['192.168.1.*'],               // Restrict access by IP
+      blockedIPs: ['192.168.1.100'],             // Block specific IPs
+      targetIPs: ['10.0.0.1', '10.0.0.2'],       // Round-robin between multiple targets
+      portRanges: [{ from: 443, to: 443 }]
     }
-    // Additional domain rules can be added as needed
   ],
-  sniEnabled: true,  // Server Name Indication (SNI) support
-  defaultAllowedIPs: ['*'],
+  maxConnectionLifetime: 3600000, // 1 hour in milliseconds
+  preserveSourceIP: true
 });
 
-// Activate the proxy with conditional rules
-await advancedPortProxy.start();
+portProxy.start();
 ```
 
-### WebSocket Handling
-
-With real-time applications becoming more prevalent, effective WebSocket handling is crucial in a proxy server. Smartproxy natively incorporates WebSocket support to manage WebSocket traffic securely and efficiently:
-
-```typescript
-import { NetworkProxy } from '@push.rocks/smartproxy';
-
-// Create a NetworkProxy instance for WebSocket traffic
-const wsNetworkProxy = new NetworkProxy({ port: 443 });
-
-// Define proxy configurations targeted for WebSocket traffic
-const websocketConfig = [
-  {
-    destinationIp: '127.0.0.1',
-    destinationPort: '8080',
-    hostName: 'socket.example.com',
-    // Include SSL details if necessary
-  }
-];
-
-// Start the proxy and apply WebSocket settings
-await wsNetworkProxy.start();
-await wsNetworkProxy.updateProxyConfigs(websocketConfig);
-
-// Set heartbeat intervals to maintain WebSocket connections
-wsNetworkProxy.heartbeatInterval = setInterval(() => {
-  // Logic for connection health checks
-}, 60000); // every minute
-
-// Capture and handle server errors for resiliency
-wsNetworkProxy.httpsServer.on('error', (error) => console.log('Server Error:', error));
-```
-
-### Advanced Routing and Custom Features
-
-Smartproxy shines with its dynamic routing capabilities, allowing for custom and advanced request routing based on the request's destination. This enables extensive flexibility, such as directing API requests or facilitating intricate B2B integrations:
-
-```typescript
-import { NetworkProxy } from '@push.rocks/smartproxy';
-
-// Instantiate a proxy with dynamic routing
-const routeProxy = new NetworkProxy({ port: 8443 });
-
-routeProxy.router.setNewProxyConfigs([
-  {
-    destinationIp: '192.168.1.150',
-    destinationPort: '80',
-    hostName: 'dynamic.example.com',
-    authentication: {
-      type: 'Basic',
-      user: 'admin',
-      pass: 'password123'
-    }
-  }
-]);
-
-// Activate the routing proxy
-await routeProxy.start();
-```
-
-For those who require granular traffic control, integrating tools like `iptables` offers additional power over network management:
+### IPTables Port Forwarding
 
 ```typescript
 import { IPTablesProxy } from '@push.rocks/smartproxy';
 
-// Set up IPTables for sophisticated network traffic management
-const iptablesProxy = new IPTablesProxy({
-  fromPort: 8081,
+// Configure IPTables to forward from port 80 to 8080
+const iptables = new IPTablesProxy({
+  fromPort: 80,
   toPort: 8080,
-  deleteOnExit: true // Clean up rules when the server shuts down
+  toHost: 'localhost',
+  preserveSourceIP: true,
+  deleteOnExit: true  // Automatically clean up rules on process exit
 });
 
-// Enable routing through IPTables
-await iptablesProxy.start();
+iptables.start();
 ```
 
-### Integrating SSL and HTTP/HTTPS Credentials
-
-Handling sensitive data like SSL keys and certificates securely is crucial in proxy configurations:
+### Automatic HTTPS Certificate Management
 
 ```typescript
-import { loadDefaultCertificates } from '@push.rocks/smartproxy';
+import { Port80Handler } from '@push.rocks/smartproxy';
 
-try {
-  const { privateKey, publicKey } = loadDefaultCertificates(); // Adjust path if necessary
-  console.log('SSL certificates loaded successfully.');
-  // Use these credentials in your configurations
-} catch (error) {
-  console.error('Error loading certificates:', error);
-}
+// Create an ACME handler for Let's Encrypt
+const acmeHandler = new Port80Handler();
+
+// Add domains to manage certificates for
+acmeHandler.addDomain('example.com');
+acmeHandler.addDomain('api.example.com');
 ```
 
-### Testing and Validation
+## Configuration Options
 
-Smartproxy supports extensive testing to ensure your proxy configurations operate as expected. Leveraging `tap` alongside TypeScript testing frameworks supports quality assurance:
+### NetworkProxy Options
 
-```typescript
-import { expect, tap } from '@push.rocks/tapbundle';
-import { NetworkProxy } from '@push.rocks/smartproxy';
+| Option         | Description                                       | Default |
+|----------------|---------------------------------------------------|---------|
+| `port`         | Port to listen on for HTTPS connections           | -       |
 
-tap.test('Check proxied request returns status 200', async () => {
-  // Testing logic
-});
+### PortProxy Settings
 
-tap.start();
-```
+| Option                   | Description                                            | Default     |
+|--------------------------|--------------------------------------------------------|-------------|
+| `fromPort`               | Port to listen on                                      | -           |
+| `toPort`                 | Destination port to forward to                         | -           |
+| `targetIP`               | Default destination IP if not specified in domainConfig | 'localhost' |
+| `sniEnabled`             | Enable SNI inspection for TLS connections              | false       |
+| `defaultAllowedIPs`      | IP patterns allowed by default                         | -           |
+| `defaultBlockedIPs`      | IP patterns blocked by default                         | -           |
+| `preserveSourceIP`       | Preserve the original client IP                        | false       |
+| `maxConnectionLifetime`  | Maximum time in ms to keep a connection open           | 600000      |
+| `globalPortRanges`       | Array of port ranges to listen on                      | -           |
+| `forwardAllGlobalRanges` | Forward all global range connections to targetIP       | false       |
+| `gracefulShutdownTimeout`| Time in ms to wait during shutdown                     | 30000       |
 
-### Conclusion
+### IPTablesProxy Settings
 
-`@push.rocks/smartproxy` is designed for both simple and complex proxying demands, offering tools for high-performance and secure proxy management across diverse environments. Its efficient configurations are capable of supporting SSL redirection, WebSocket traffic, dynamic routing, and other advanced functionalities, making it indispensable for developers seeking robust and adaptable proxy solutions. By integrating these capabilities with ease of use, `smartproxy` stands out as an essential tool in modern software architecture.
+| Option            | Description                                 | Default     |
+|-------------------|---------------------------------------------|-------------|
+| `fromPort`        | Source port to forward from                 | -           |
+| `toPort`          | Destination port to forward to              | -           |
+| `toHost`          | Destination host to forward to              | 'localhost' |
+| `preserveSourceIP`| Preserve the original client IP             | false       |
+| `deleteOnExit`    | Remove iptables rules when process exits    | false       |
+
+## Advanced Features
+
+### Connection Management and Monitoring
+
+The `PortProxy` class includes built-in connection tracking and monitoring:
+
+- Automatic cleanup of idle connections
+- Timeouts for connections that exceed maximum lifetime
+- Detailed logging of connection states
+- Termination statistics
+
+### WebSocket Support
+
+The `NetworkProxy` class provides WebSocket support with:
+
+- WebSocket connection proxying
+- Automatic heartbeat monitoring
+- Connection cleanup for inactive WebSockets
+
+### SNI-based Routing
+
+The `PortProxy` class can inspect the SNI (Server Name Indication) field in TLS handshakes to route connections based on the requested domain:
+
+- Multiple backend targets per domain
+- Round-robin load balancing
+- Domain-specific allowed IP ranges
+- Protection against SNI renegotiation attacks
 
 ## License and Legal Information
 

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.22.0',
+  version: '3.23.1',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }

ts/classes.portproxy.ts

@@ -23,7 +23,6 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   globalPortRanges: Array<{ from: number; to: number }>; // Global allowed port ranges
   forwardAllGlobalRanges?: boolean; // When true, forwards all connections on global port ranges to the global targetIP
   gracefulShutdownTimeout?: number; // (ms) maximum time to wait for connections to close during shutdown
-  initialDataTimeout?: number; // (ms) timeout for receiving initial data, useful for chained proxies
 }
 
 /**
@@ -90,25 +89,25 @@ function extractSNI(buffer: Buffer): string | undefined {
 }
 
 interface IConnectionRecord {
+  id: string;                       // Unique connection identifier
   incoming: plugins.net.Socket;
   outgoing: plugins.net.Socket | null;
   incomingStartTime: number;
   outgoingStartTime?: number;
   outgoingClosedTime?: number;
-  lockedDomain?: string; // Field to lock this connection to the initial SNI
-  connectionClosed: boolean;
-  cleanupTimer?: NodeJS.Timeout; // Timer to force cleanup after max lifetime/inactivity
-  cleanupInitiated: boolean; // Flag to track if cleanup has been initiated but not completed
-  id: string; // Unique identifier for the connection
-  lastActivity: number; // Timestamp of last activity on either socket
+  lockedDomain?: string;            // Used to lock this connection to the initial SNI
+  connectionClosed: boolean;        // Flag to prevent multiple cleanup attempts
+  cleanupTimer?: NodeJS.Timeout;    // Timer for max lifetime/inactivity
+  lastActivity: number;             // Last activity timestamp for inactivity detection
+  pendingData: Buffer[];            // Buffer to hold data during connection setup
 }
 
-// Helper: Check if a port falls within any of the given port ranges.
+// Helper: Check if a port falls within any of the given port ranges
 const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
   return ranges.some(range => port >= range.from && port <= range.to);
 };
 
-// Helper: Check if a given IP matches any of the glob patterns.
+// Helper: Check if a given IP matches any of the glob patterns
 const isAllowed = (ip: string, patterns: string[]): boolean => {
   const normalizeIP = (ip: string): string[] => {
     if (ip.startsWith('::ffff:')) {
@@ -127,13 +126,13 @@ const isAllowed = (ip: string, patterns: string[]): boolean => {
   );
 };
 
-// Helper: Check if an IP is allowed considering allowed and blocked glob patterns.
+// Helper: Check if an IP is allowed considering allowed and blocked glob patterns
 const isGlobIPAllowed = (ip: string, allowed: string[], blocked: string[] = []): boolean => {
   if (blocked.length > 0 && isAllowed(ip, blocked)) return false;
   return isAllowed(ip, allowed);
 };
 
-// Helper: Generate a unique ID for a connection
+// Helper: Generate a unique connection ID
 const generateConnectionId = (): string => {
   return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
 };
@@ -141,12 +140,11 @@ const generateConnectionId = (): string => {
 export class PortProxy {
   private netServers: plugins.net.Server[] = [];
   settings: IPortProxySettings;
-  // Unified record tracking each connection pair.
   private connectionRecords: Map<string, IConnectionRecord> = new Map();
   private connectionLogger: NodeJS.Timeout | null = null;
   private isShuttingDown: boolean = false;
 
-  // Map to track round robin indices for each domain config.
+  // Map to track round robin indices for each domain config
   private domainTargetIndices: Map<IDomainConfig, number> = new Map();
 
   private terminationStats: {
@@ -164,9 +162,6 @@ export class PortProxy {
       maxConnectionLifetime: settingsArg.maxConnectionLifetime || 600000,
       gracefulShutdownTimeout: settingsArg.gracefulShutdownTimeout || 30000,
     };
-    
-    // Debug logging for constructor settings
-    console.log(`PortProxy initialized with targetIP: ${this.settings.targetIP}, toPort: ${this.settings.toPort}, fromPort: ${this.settings.fromPort}, sniEnabled: ${this.settings.sniEnabled}`);
   }
 
   private incrementTerminationStat(side: 'incoming' | 'outgoing', reason: string): void {
@@ -174,77 +169,64 @@ export class PortProxy {
   }
 
   /**
-   * Initiates the cleanup process for a connection.
-   * Sets the flag to prevent duplicate cleanup attempts and schedules actual cleanup.
+   * Cleans up a connection record.
+   * Destroys both incoming and outgoing sockets, clears timers, and removes the record.
+   * @param record - The connection record to clean up
+   * @param reason - Optional reason for cleanup (for logging)
    */
-  private initiateCleanup(record: IConnectionRecord, reason: string = 'normal'): void {
-    if (record.cleanupInitiated) return;
-    
-    record.cleanupInitiated = true;
-    const remoteIP = record.incoming.remoteAddress || 'unknown';
-    console.log(`Initiating cleanup for connection ${record.id} from ${remoteIP} (reason: ${reason})`);
-    
-    // Execute cleanup immediately to prevent lingering connections
-    this.executeCleanup(record);
+  private cleanupConnection(record: IConnectionRecord, reason: string = 'normal'): void {
+    if (!record.connectionClosed) {
+      record.connectionClosed = true;
+      
+      if (record.cleanupTimer) {
+        clearTimeout(record.cleanupTimer);
+        record.cleanupTimer = undefined;
+      }
+      
+      try {
+        if (!record.incoming.destroyed) {
+          // Try graceful shutdown first, then force destroy after a short timeout
+          record.incoming.end();
+          setTimeout(() => {
+            if (record && !record.incoming.destroyed) {
+              record.incoming.destroy();
+            }
+          }, 1000);
+        }
+      } catch (err) {
+        console.log(`Error closing incoming socket: ${err}`);
+        if (!record.incoming.destroyed) {
+          record.incoming.destroy();
+        }
+      }
+      
+      try {
+        if (record.outgoing && !record.outgoing.destroyed) {
+          // Try graceful shutdown first, then force destroy after a short timeout
+          record.outgoing.end();
+          setTimeout(() => {
+            if (record && record.outgoing && !record.outgoing.destroyed) {
+              record.outgoing.destroy();
+            }
+          }, 1000);
+        }
+      } catch (err) {
+        console.log(`Error closing outgoing socket: ${err}`);
+        if (record.outgoing && !record.outgoing.destroyed) {
+          record.outgoing.destroy();
+        }
+      }
+      
+      // Remove the record from the tracking map
+      this.connectionRecords.delete(record.id);
+      
+      const remoteIP = record.incoming.remoteAddress || 'unknown';
+      console.log(`Connection from ${remoteIP} terminated (${reason}). Active connections: ${this.connectionRecords.size}`);
+    }
   }
 
-  /**
-   * Executes the actual cleanup of a connection.
-   * Destroys sockets, clears timers, and removes the record.
-   */
-  private executeCleanup(record: IConnectionRecord): void {
-    if (record.connectionClosed) return;
-    
-    record.connectionClosed = true;
-    const remoteIP = record.incoming.remoteAddress || 'unknown';
-    
-    if (record.cleanupTimer) {
-      clearTimeout(record.cleanupTimer);
-      record.cleanupTimer = undefined;
-    }
-    
-    // End the sockets first to allow for graceful closure
-    try {
-      if (!record.incoming.destroyed) {
-        record.incoming.end();
-        // Set a safety timeout to force destroy if end doesn't complete
-        setTimeout(() => {
-          if (!record.incoming.destroyed) {
-            console.log(`Forcing destruction of incoming socket for ${remoteIP}`);
-            record.incoming.destroy();
-          }
-        }, 1000);
-      }
-    } catch (err) {
-      console.error(`Error ending incoming socket for ${remoteIP}:`, err);
-      if (!record.incoming.destroyed) {
-        record.incoming.destroy();
-      }
-    }
-
-    try {
-      if (record.outgoing && !record.outgoing.destroyed) {
-        record.outgoing.end();
-        // Set a safety timeout to force destroy if end doesn't complete
-        setTimeout(() => {
-          if (record.outgoing && !record.outgoing.destroyed) {
-            console.log(`Forcing destruction of outgoing socket for ${remoteIP}`);
-            record.outgoing.destroy();
-          }
-        }, 1000);
-      }
-    } catch (err) {
-      console.error(`Error ending outgoing socket for ${remoteIP}:`, err);
-      if (record.outgoing && !record.outgoing.destroyed) {
-        record.outgoing.destroy();
-      }
-    }
-
-    // Remove the record after a delay to ensure all events have propagated
-    setTimeout(() => {
-      this.connectionRecords.delete(record.id);
-      console.log(`Connection ${record.id} from ${remoteIP} fully cleaned up. Active connections: ${this.connectionRecords.size}`);
-    }, 2000);
+  private updateActivity(record: IConnectionRecord): void {
+    record.lastActivity = Date.now();
   }
 
   private getTargetIP(domainConfig: IDomainConfig): string {
@@ -257,27 +239,6 @@ export class PortProxy {
     return this.settings.targetIP!;
   }
 
-  /**
-   * Updates the last activity timestamp for a connection record
-   */
-  private updateActivity(record: IConnectionRecord): void {
-    record.lastActivity = Date.now();
-    
-    // Reset the inactivity timer if one is set
-    if (this.settings.maxConnectionLifetime && record.cleanupTimer) {
-      clearTimeout(record.cleanupTimer);
-      
-      // Set a new cleanup timer
-      record.cleanupTimer = setTimeout(() => {
-        const now = Date.now();
-        const inactivityTime = now - record.lastActivity;
-        const remoteIP = record.incoming.remoteAddress || 'unknown';
-        console.log(`Connection ${record.id} from ${remoteIP} exceeded max lifetime or inactivity period (${inactivityTime}ms), forcing cleanup.`);
-        this.initiateCleanup(record, 'timeout');
-      }, this.settings.maxConnectionLifetime);
-    }
-  }
-
   public async start() {
     // Define a unified connection handler for all listening ports.
     const connectionHandler = (socket: plugins.net.Socket) => {
@@ -298,22 +259,28 @@ export class PortProxy {
         incomingStartTime: Date.now(),
         lastActivity: Date.now(),
         connectionClosed: false,
-        cleanupInitiated: false
+        pendingData: [] // Initialize buffer for pending data
       };
-
       this.connectionRecords.set(connectionId, connectionRecord);
-      console.log(`New connection ${connectionId} from ${remoteIP} on port ${localPort}. Active connections: ${this.connectionRecords.size}`);
+      
+      console.log(`New connection from ${remoteIP} on port ${localPort}. Active connections: ${this.connectionRecords.size}`);
 
       let initialDataReceived = false;
       let incomingTerminationReason: string | null = null;
       let outgoingTerminationReason: string | null = null;
 
-      // Local cleanup function that delegates to the class method.
+      // Local function for cleanupOnce
+      const cleanupOnce = () => {
+        this.cleanupConnection(connectionRecord);
+      };
+      
+      // Define initiateCleanupOnce for compatibility with potential future improvements
       const initiateCleanupOnce = (reason: string = 'normal') => {
-        this.initiateCleanup(connectionRecord, reason);
+        console.log(`Connection cleanup initiated for ${remoteIP} (${reason})`);
+        cleanupOnce();
       };
 
-      // Helper to reject an incoming connection.
+      // Helper to reject an incoming connection
       const rejectIncomingConnection = (reason: string, logMessage: string) => {
         console.log(logMessage);
         socket.end();
@@ -321,55 +288,25 @@ export class PortProxy {
           incomingTerminationReason = reason;
           this.incrementTerminationStat('incoming', reason);
         }
-        initiateCleanupOnce(reason);
+        cleanupOnce();
       };
 
-      // Set an initial timeout only if SNI is enabled or this is not a chained proxy
-      // For chained proxies, we need to allow more time for data to flow through
-      const initialTimeoutMs = this.settings.initialDataTimeout || 
-                             (this.settings.sniEnabled ? 15000 : 0); // Increased timeout for SNI, disabled for non-SNI by default
-      
+      // Set an initial timeout for SNI data if needed
       let initialTimeout: NodeJS.Timeout | null = null;
-      
-      if (initialTimeoutMs > 0) {
-        console.log(`Setting initial data timeout of ${initialTimeoutMs}ms for connection from ${remoteIP}`);
+      if (this.settings.sniEnabled) {
         initialTimeout = setTimeout(() => {
           if (!initialDataReceived) {
-            console.log(`Initial connection timeout for ${remoteIP} (no data received after ${initialTimeoutMs}ms)`);
-            if (incomingTerminationReason === null) {
-              incomingTerminationReason = 'initial_timeout';
-              this.incrementTerminationStat('incoming', 'initial_timeout');
-            }
-            initiateCleanupOnce('initial_timeout');
+            console.log(`Initial data timeout for ${remoteIP}`);
+            socket.end();
+            cleanupOnce();
           }
-        }, initialTimeoutMs);
+        }, 5000);
       } else {
-        console.log(`No initial timeout set for connection from ${remoteIP} (likely chained proxy)`);
-        // Mark as received immediately if we're not waiting for data
         initialDataReceived = true;
       }
 
       socket.on('error', (err: Error) => {
-        const errorMessage = initialDataReceived
-          ? `(Immediate) Incoming socket error from ${remoteIP}: ${err.message}`
-          : `(Premature) Incoming socket error from ${remoteIP} before data received: ${err.message}`;
-        console.log(errorMessage);
-        
-        // Clear the initial timeout if it exists
-        if (initialTimeout) {
-          clearTimeout(initialTimeout);
-          initialTimeout = null;
-        }
-        
-        // For premature errors, we need to handle them explicitly 
-        // since the standard error handlers might not be set up yet
-        if (!initialDataReceived) {
-          if (incomingTerminationReason === null) {
-            incomingTerminationReason = 'premature_error';
-            this.incrementTerminationStat('incoming', 'premature_error');
-          }
-          initiateCleanupOnce('premature_error');
-        }
+        console.log(`Incoming socket error from ${remoteIP}: ${err.message}`);
       });
 
       const handleError = (side: 'incoming' | 'outgoing') => (err: Error) => {
@@ -378,13 +315,9 @@ export class PortProxy {
         if (code === 'ECONNRESET') {
           reason = 'econnreset';
           console.log(`ECONNRESET on ${side} side from ${remoteIP}: ${err.message}`);
-        } else if (code === 'ECONNREFUSED') {
-          reason = 'econnrefused';
-          console.log(`ECONNREFUSED on ${side} side from ${remoteIP}: ${err.message}`);
         } else {
           console.log(`Error on ${side} side from ${remoteIP}: ${err.message}`);
         }
-        
         if (side === 'incoming' && incomingTerminationReason === null) {
           incomingTerminationReason = reason;
           this.incrementTerminationStat('incoming', reason);
@@ -392,13 +325,11 @@ export class PortProxy {
           outgoingTerminationReason = reason;
           this.incrementTerminationStat('outgoing', reason);
         }
-        
         initiateCleanupOnce(reason);
       };
 
       const handleClose = (side: 'incoming' | 'outgoing') => () => {
         console.log(`Connection closed on ${side} side from ${remoteIP}`);
-        
         if (side === 'incoming' && incomingTerminationReason === null) {
           incomingTerminationReason = 'normal';
           this.incrementTerminationStat('incoming', 'normal');
@@ -407,24 +338,8 @@ export class PortProxy {
           this.incrementTerminationStat('outgoing', 'normal');
           // Record the time when outgoing socket closed.
           connectionRecord.outgoingClosedTime = Date.now();
-          
-          // If incoming is still active but outgoing closed, set a shorter timeout
-          if (!connectionRecord.incoming.destroyed) {
-            console.log(`Outgoing socket closed but incoming still active for ${remoteIP}. Setting cleanup timeout.`);
-            setTimeout(() => {
-              if (!connectionRecord.connectionClosed && !connectionRecord.incoming.destroyed) {
-                console.log(`Incoming socket still active ${Date.now() - connectionRecord.outgoingClosedTime!}ms after outgoing closed for ${remoteIP}. Cleaning up.`);
-                initiateCleanupOnce('outgoing_closed_timeout');
-              }
-            }, 10000); // 10 second timeout instead of waiting for the next parity check
-          }
-        }
-        
-        // If both sides are closed/destroyed, clean up
-        if ((side === 'incoming' && connectionRecord.outgoing?.destroyed) || 
-            (side === 'outgoing' && connectionRecord.incoming.destroyed)) {
-          initiateCleanupOnce('both_closed');
         }
+        initiateCleanupOnce('closed_' + side);
       };
 
       /**
@@ -438,6 +353,7 @@ export class PortProxy {
         // Clear the initial timeout since we've received data
         if (initialTimeout) {
           clearTimeout(initialTimeout);
+          initialTimeout = null;
         }
         
         // If a forcedDomain is provided (port-based routing), use it; otherwise, use SNI-based lookup.
@@ -447,35 +363,25 @@ export class PortProxy {
               config.domains.some(d => plugins.minimatch(serverName, d))
             ) : undefined);
 
-        // Effective IP check: merge allowed IPs with default allowed, and remove blocked IPs.
-        // In a chained proxy, relax IP validation unless explicitly configured
-        // If this is the first proxy in the chain, normal validation applies
+        // IP validation is skipped if allowedIPs is empty
         if (domainConfig) {
-          // Has specific domain config - check IP restrictions only if allowedIPs is non-empty
-          if (domainConfig.allowedIPs.length > 0) {
-            const effectiveAllowedIPs: string[] = [
-              ...domainConfig.allowedIPs,
-              ...(this.settings.defaultAllowedIPs || [])
-            ];
-            const effectiveBlockedIPs: string[] = [
-              ...(domainConfig.blockedIPs || []),
-              ...(this.settings.defaultBlockedIPs || [])
-            ];
-            if (!isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
-              return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domains.join(', ')}`);
-            }
-          } else {
-            console.log(`Domain config for ${domainConfig.domains.join(', ')} has empty allowedIPs, skipping IP validation`);
+          const effectiveAllowedIPs: string[] = [
+            ...domainConfig.allowedIPs,
+            ...(this.settings.defaultAllowedIPs || [])
+          ];
+          const effectiveBlockedIPs: string[] = [
+            ...(domainConfig.blockedIPs || []),
+            ...(this.settings.defaultBlockedIPs || [])
+          ];
+          
+          // Skip IP validation if allowedIPs is empty
+          if (domainConfig.allowedIPs.length > 0 && !isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
+            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domains.join(', ')}`);
           }
         } else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
-          // No domain config but has default IP restrictions
           if (!isGlobIPAllowed(remoteIP, this.settings.defaultAllowedIPs, this.settings.defaultBlockedIPs || [])) {
             return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed by default allowed list`);
           }
-        } else {
-          // No domain config and no default allowed IPs
-          // In a chained proxy setup, we'll allow this connection 
-          console.log(`No specific IP restrictions found for ${remoteIP}. Allowing connection in potential chained proxy setup.`);
         }
 
         const targetHost = domainConfig ? this.getTargetIP(domainConfig) : this.settings.targetIP!;
@@ -487,116 +393,119 @@ export class PortProxy {
           connectionOptions.localAddress = remoteIP.replace('::ffff:', '');
         }
 
-        // Add explicit connection timeout and error handling
-        let connectionTimeout: NodeJS.Timeout | null = null;
-        let connectionSucceeded = false;
-        
-        // Set connection timeout - longer for chained proxies
-        connectionTimeout = setTimeout(() => {
-          if (!connectionSucceeded) {
-            console.log(`Connection timeout connecting to ${targetHost}:${connectionOptions.port} for ${remoteIP}`);
-            if (outgoingTerminationReason === null) {
-              outgoingTerminationReason = 'connection_timeout';
-              this.incrementTerminationStat('outgoing', 'connection_timeout');
-            }
-            initiateCleanupOnce('connection_timeout');
-          }
-        }, 10000); // Increased from 5s to 10s to accommodate chained proxies
+        // Temporary handler to collect data during connection setup
+        const tempDataHandler = (chunk: Buffer) => {
+          connectionRecord.pendingData.push(Buffer.from(chunk));
+          this.updateActivity(connectionRecord);
+        };
 
-        console.log(`Attempting to connect to ${targetHost}:${connectionOptions.port} for client ${remoteIP}...`);
-        
-        // Create the target socket
+        // Add the temp handler to capture all incoming data during connection setup
+        socket.on('data', tempDataHandler);
+
+        // Add initial chunk to pending data if present
+        if (initialChunk) {
+          connectionRecord.pendingData.push(Buffer.from(initialChunk));
+        }
+
+        // Create the target socket but don't set up piping immediately
         const targetSocket = plugins.net.connect(connectionOptions);
         connectionRecord.outgoing = targetSocket;
+        connectionRecord.outgoingStartTime = Date.now();
         
-        // Handle successful connection
-        targetSocket.once('connect', () => {
-          connectionSucceeded = true;
-          if (connectionTimeout) {
-            clearTimeout(connectionTimeout);
-            connectionTimeout = null;
-          }
-          
-          connectionRecord.outgoingStartTime = Date.now();
-          console.log(
-            `Connection established: ${remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-            `${serverName ? ` (SNI: ${serverName})` : forcedDomain ? ` (Port-based for domain: ${forcedDomain.domains.join(', ')})` : ''}`
-          );
-
-          // Setup data flow after confirmed connection
-          setupDataFlow(targetSocket, initialChunk);
-        });
-
-        // Handle connection errors early
-        targetSocket.once('error', (err) => {
-          if (!connectionSucceeded) {
-            // This is an initial connection error
-            console.log(`Failed to connect to ${targetHost}:${connectionOptions.port} for ${remoteIP}: ${err.message}`);
-            if (connectionTimeout) {
-              clearTimeout(connectionTimeout);
-              connectionTimeout = null;
-            }
-            if (outgoingTerminationReason === null) {
-              outgoingTerminationReason = 'connection_failed';
-              this.incrementTerminationStat('outgoing', 'connection_failed');
-            }
-            initiateCleanupOnce('connection_failed');
-          }
-          // Other errors will be handled by the main error handler
-        });
-      };
-
-      /**
-       * Sets up the data flow between sockets after successful connection
-       */
-      const setupDataFlow = (targetSocket: plugins.net.Socket, initialChunk?: Buffer) => {
-        if (initialChunk) {
-          socket.unshift(initialChunk);
-        }
-        
-        // Set appropriate timeouts for both sockets
-        socket.setTimeout(120000);
-        targetSocket.setTimeout(120000);
-        
-        // Set up the pipe in both directions
-        socket.pipe(targetSocket);
-        targetSocket.pipe(socket);
-
-        // Attach error and close handlers
+        // Setup error handlers immediately
         socket.on('error', handleError('incoming'));
         targetSocket.on('error', handleError('outgoing'));
         socket.on('close', handleClose('incoming'));
         targetSocket.on('close', handleClose('outgoing'));
         
-        // Handle timeout events
+        // Handle timeouts
         socket.on('timeout', () => {
           console.log(`Timeout on incoming side from ${remoteIP}`);
           if (incomingTerminationReason === null) {
             incomingTerminationReason = 'timeout';
             this.incrementTerminationStat('incoming', 'timeout');
           }
-          initiateCleanupOnce('timeout');
+          initiateCleanupOnce('timeout_incoming');
         });
-        
         targetSocket.on('timeout', () => {
           console.log(`Timeout on outgoing side from ${remoteIP}`);
           if (outgoingTerminationReason === null) {
             outgoingTerminationReason = 'timeout';
             this.incrementTerminationStat('outgoing', 'timeout');
           }
-          initiateCleanupOnce('timeout');
+          initiateCleanupOnce('timeout_outgoing');
         });
-        
-        socket.on('end', handleClose('incoming'));
-        targetSocket.on('end', handleClose('outgoing'));
 
-        // Track activity for both sockets to reset inactivity timers
-        socket.on('data', (data) => {
-          this.updateActivity(connectionRecord);
-        });
+        // Set appropriate timeouts
+        socket.setTimeout(120000);
+        targetSocket.setTimeout(120000);
         
-        targetSocket.on('data', (data) => {
-          this.updateActivity(connectionRecord);
+        // Wait for the outgoing connection to be ready before setting up piping
+        targetSocket.once('connect', () => {
+          // Remove temporary data handler
+          socket.removeListener('data', tempDataHandler);
+          
+          // Flush all pending data to target
+          if (connectionRecord.pendingData.length > 0) {
+            const combinedData = Buffer.concat(connectionRecord.pendingData);
+            targetSocket.write(combinedData, (err) => {
+              if (err) {
+                console.log(`Error writing pending data to target: ${err.message}`);
+                return initiateCleanupOnce('write_error');
+              }
+              
+              // Now set up piping for future data
+              socket.pipe(targetSocket);
+              targetSocket.pipe(socket);
+              
+              console.log(
+                `Connection established: ${remoteIP} -> ${targetHost}:${connectionOptions.port}` +
+                `${serverName ? ` (SNI: ${serverName})` : forcedDomain ? ` (Port-based for domain: ${forcedDomain.domains.join(', ')})` : ''}`
+              );
+            });
+          } else {
+            // No pending data, so just set up piping
+            socket.pipe(targetSocket);
+            targetSocket.pipe(socket);
+            
+            console.log(
+              `Connection established: ${remoteIP} -> ${targetHost}:${connectionOptions.port}` +
+              `${serverName ? ` (SNI: ${serverName})` : forcedDomain ? ` (Port-based for domain: ${forcedDomain.domains.join(', ')})` : ''}`
+            );
+          }
+          
+          // Clear the buffer now that we've processed it
+          connectionRecord.pendingData = [];
+          
+          // Set up activity tracking
+          socket.on('data', () => {
+            connectionRecord.lastActivity = Date.now();
+          });
+          
+          targetSocket.on('data', () => {
+            connectionRecord.lastActivity = Date.now();
+          });
+          
+          // Add the renegotiation listener (we don't need setImmediate here anymore
+          // since we're already in the connect callback)
+          if (serverName) {
+            socket.on('data', (renegChunk: Buffer) => {
+              if (renegChunk.length > 0 && renegChunk.readUInt8(0) === 22) {
+                try {
+                  // Try to extract SNI from potential renegotiation
+                  const newSNI = extractSNI(renegChunk);
+                  if (newSNI && newSNI !== connectionRecord.lockedDomain) {
+                    console.log(`Rehandshake detected with different SNI: ${newSNI} vs locked ${connectionRecord.lockedDomain}. Terminating connection.`);
+                    initiateCleanupOnce('sni_mismatch');
+                  } else if (newSNI) {
+                    console.log(`Rehandshake detected with same SNI: ${newSNI}. Allowing.`);
+                  }
+                } catch (err) {
+                  console.log(`Error processing potential renegotiation: ${err}. Allowing connection to continue.`);
+                }
+              }
+            });
+          }
         });
 
         // Initialize a cleanup timer for max connection lifetime
@@ -615,7 +524,6 @@ export class PortProxy {
           if (this.settings.defaultAllowedIPs && !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
             console.log(`Connection from ${remoteIP} rejected: IP ${remoteIP} not allowed in global default allowed list.`);
             socket.end();
-            initiateCleanupOnce('rejected');
             return;
           }
           console.log(`Port-based connection from ${remoteIP} on port ${localPort} forwarded to global target IP ${this.settings.targetIP}.`);
@@ -644,7 +552,6 @@ export class PortProxy {
             if (!isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
               console.log(`Connection from ${remoteIP} rejected: IP not allowed for domain ${forcedDomain.domains.join(', ')} on port ${localPort}.`);
               socket.end();
-              initiateCleanupOnce('rejected');
               return;
             }
             console.log(`Port-based connection from ${remoteIP} on port ${localPort} matched domain ${forcedDomain.domains.join(', ')}.`);
@@ -657,14 +564,8 @@ export class PortProxy {
 
       // --- FALLBACK: SNI-BASED HANDLING (or default when SNI is disabled) ---
       if (this.settings.sniEnabled) {
-        // If using SNI, we need to wait for data to establish the connection
-        if (initialDataReceived) {
-          console.log(`Initial data already marked as received for ${remoteIP}, but SNI is enabled. This is unexpected.`);
-        }
-        
         initialDataReceived = false;
-        
-        console.log(`Waiting for TLS ClientHello from ${remoteIP} to extract SNI...`);
+
         socket.once('data', (chunk: Buffer) => {
           if (initialTimeout) {
             clearTimeout(initialTimeout);
@@ -672,65 +573,18 @@ export class PortProxy {
           }
           
           initialDataReceived = true;
-          console.log(`Received initial data from ${remoteIP}, length: ${chunk.length} bytes`);
-          
-          let serverName = '';
-          try {
-            // Only try to extract SNI if the chunk looks like a TLS ClientHello
-            if (chunk.length > 5 && chunk.readUInt8(0) === 22) {
-              serverName = extractSNI(chunk) || '';
-              console.log(`Extracted SNI: "${serverName}" from connection ${remoteIP}`);
-            } else {
-              console.log(`Data from ${remoteIP} doesn't appear to be a TLS ClientHello. First byte: ${chunk.length > 0 ? chunk.readUInt8(0) : 'N/A'}`);
-            }
-          } catch (err) {
-            console.log(`Error extracting SNI from chunk: ${err}. Proceeding without SNI.`);
-          }
-          
+          const serverName = extractSNI(chunk) || '';
           // Lock the connection to the negotiated SNI.
           connectionRecord.lockedDomain = serverName;
-          
-          // Delay adding the renegotiation listener until the next tick,
-          // so the initial ClientHello is not reprocessed.
-          setImmediate(() => {
-            socket.on('data', (renegChunk: Buffer) => {
-              if (renegChunk.length > 0 && renegChunk.readUInt8(0) === 22) {
-                try {
-                  // Try to extract SNI from potential renegotiation
-                  const newSNI = extractSNI(renegChunk);
-                  if (newSNI && newSNI !== connectionRecord.lockedDomain) {
-                    console.log(`Rehandshake detected with different SNI: ${newSNI} vs locked ${connectionRecord.lockedDomain}. Terminating connection.`);
-                    initiateCleanupOnce('sni_mismatch');
-                  } else if (newSNI) {
-                    console.log(`Rehandshake detected with same SNI: ${newSNI}. Allowing.`);
-                  }
-                } catch (err) {
-                  console.log(`Error processing potential renegotiation: ${err}. Allowing connection to continue.`);
-                }
-              }
-            });
-          });
+          console.log(`Received connection from ${remoteIP} with SNI: ${serverName}`);
           
           setupConnection(serverName, chunk);
         });
       } else {
-        // Non-SNI mode: we can proceed immediately without waiting for data
-        if (initialTimeout) {
-          clearTimeout(initialTimeout);
-          initialTimeout = null;
-        }
-        
         initialDataReceived = true;
-        console.log(`SNI disabled for connection from ${remoteIP}, proceeding directly to connection setup`);
-        
-        // Check IP restrictions only if explicitly configured
-        if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
-          if (!isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
-          }
+        if (!this.settings.defaultAllowedIPs || this.settings.defaultAllowedIPs.length === 0 || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+          return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
         }
-        
-        // Proceed with connection setup
         setupConnection('');
       }
     };
@@ -764,7 +618,7 @@ export class PortProxy {
       this.netServers.push(server);
     }
 
-    // Log active connection count, run parity checks, and check for connection issues every 10 seconds.
+    // Log active connection count, longest running durations, and run parity checks every 10 seconds.
     this.connectionLogger = setInterval(() => {
       if (this.isShuttingDown) return;
       
@@ -784,25 +638,23 @@ export class PortProxy {
           maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
         }
         
-        // Parity check: if outgoing socket closed and incoming remains active for >30 seconds, trigger cleanup
+        // Parity check: if outgoing socket closed and incoming remains active
         if (record.outgoingClosedTime && 
             !record.incoming.destroyed && 
             !record.connectionClosed && 
-            !record.cleanupInitiated && 
             (now - record.outgoingClosedTime > 30000)) {
           const remoteIP = record.incoming.remoteAddress || 'unknown';
-          console.log(`Parity check triggered: Incoming socket for ${remoteIP} has been active >30s after outgoing closed.`);
-          this.initiateCleanup(record, 'parity_check');
+          console.log(`Parity check: Incoming socket for ${remoteIP} still active ${plugins.prettyMs(now - record.outgoingClosedTime)} after outgoing closed.`);
+          this.cleanupConnection(record, 'parity_check');
         }
         
-        // Inactivity check: if no activity for a long time but sockets still open
+        // Inactivity check
         const inactivityTime = now - record.lastActivity;
         if (inactivityTime > 180000 && // 3 minutes
-            !record.connectionClosed && 
-            !record.cleanupInitiated) {
+            !record.connectionClosed) {
           const remoteIP = record.incoming.remoteAddress || 'unknown';
-          console.log(`Inactivity check triggered: No activity on connection from ${remoteIP} for ${plugins.prettyMs(inactivityTime)}.`);
-          this.initiateCleanup(record, 'inactivity');
+          console.log(`Inactivity check: No activity on connection from ${remoteIP} for ${plugins.prettyMs(inactivityTime)}.`);
+          this.cleanupConnection(record, 'inactivity');
         }
       }
       
@@ -837,14 +689,14 @@ export class PortProxy {
     await Promise.all(closeServerPromises);
     console.log("All servers closed. Cleaning up active connections...");
     
-    // Gracefully close active connections
+    // Clean up active connections
     const connectionIds = [...this.connectionRecords.keys()];
     console.log(`Cleaning up ${connectionIds.length} active connections...`);
     
     for (const id of connectionIds) {
       const record = this.connectionRecords.get(id);
-      if (record && !record.connectionClosed && !record.cleanupInitiated) {
-        this.initiateCleanup(record, 'shutdown');
+      if (record && !record.connectionClosed) {
+        this.cleanupConnection(record, 'shutdown');
       }
     }
     
@@ -854,7 +706,7 @@ export class PortProxy {
       const checkInterval = setInterval(() => {
         if (this.connectionRecords.size === 0) {
           clearInterval(checkInterval);
-          resolve();
+          resolve(); // lets resolve here as early as we reach 0 remaining connections
         }
       }, 1000);