3.28.6

changelog.md

@@ -1,5 +1,106 @@
 # Changelog
 
+## 2025-03-07 - 3.28.6 - fix(PortProxy)
+Adjust default timeout settings and enhance keep-alive connection handling in PortProxy.
+
+- Updated default value for maxConnectionLifetime to 24 hours and inactivityTimeout to 4 hours.
+- Introduced enhanced settings for treating keep-alive connections as 'extended' or 'immortal'.
+- Modified logic to avoid closing keep-alive connections unnecessarily by adding inactivity warnings and grace periods.
+
+## 2025-03-07 - 3.28.5 - fix(core)
+Ensure proper resource cleanup during server shutdown.
+
+- Fixed potential hanging of server shutdown due to improper cleanup in promise handling.
+- Corrected potential memory leaks by ensuring all pending and active connections are properly closed during shutdown.
+
+## 2025-03-07 - 3.28.4 - fix(router)
+Improve path pattern matching and hostname prioritization in router
+
+- Enhance path pattern matching capabilities
+- Ensure hostname prioritization in routing logic
+
+## 2025-03-06 - 3.28.3 - fix(PortProxy)
+Ensure timeout values are within Node.js safe limits
+
+- Implemented `ensureSafeTimeout` to keep timeout values under the maximum safe integer for Node.js.
+- Updated timeout configurations in `PortProxy` to include safety checks.
+
+## 2025-03-06 - 3.28.2 - fix(portproxy)
+Adjust safe timeout defaults in PortProxy to prevent overflow issues.
+
+- Adjusted socketTimeout to maximum safe limit (~24.8 days) for PortProxy.
+- Adjusted maxConnectionLifetime to maximum safe limit (~24.8 days) for PortProxy.
+- Ensured enhanced default timeout settings in PortProxy.
+
+## 2025-03-06 - 3.28.1 - fix(PortProxy)
+Improved code formatting and readability in PortProxy class by adjusting spacing and comments.
+
+- Adjusted comment and spacing for better code readability.
+- No functional changes made in the PortProxy class.
+
+## 2025-03-06 - 3.28.0 - feat(router)
+Add detailed routing tests and refactor ProxyRouter for improved path matching
+
+- Implemented a comprehensive test suite for the ProxyRouter class to ensure accurate routing based on hostnames and path patterns.
+- Refactored the ProxyRouter to enhance path matching logic with improvements in wildcard and parameter handling.
+- Improved logging capabilities within the ProxyRouter for enhanced debugging and info level insights.
+- Optimized the data structures for storing and accessing proxy configurations to reduce overhead in routing operations.
+
+## 2025-03-06 - 3.27.0 - feat(AcmeCertManager)
+Introduce AcmeCertManager for enhanced ACME certificate management
+
+- Refactored the existing Port80Handler to AcmeCertManager.
+- Added event-driven certificate management with CertManagerEvents.
+- Introduced options for configuration such as renew thresholds and production mode.
+- Implemented certificate renewal checks and logging improvements.
+
+## 2025-03-05 - 3.26.0 - feat(readme)
+Updated README with enhanced TLS handling, connection management, and troubleshooting sections.
+
+- Added details on enhanced TLS handling and browser compatibility improvements.
+- Included advanced connection management features like random timeout prevention.
+- Provided comprehensive troubleshooting tips for browser certificate errors and connection stability.
+- Clarified default configuration options and optimization settings for PortProxy.
+
+## 2025-03-05 - 3.25.4 - fix(portproxy)
+Improve connection timeouts and detailed logging for PortProxy
+
+- Refactored timeout management for connections to include enhanced defaults and prevent thundering herd.
+- Improved support for TLS handshake detection with logging capabilities in PortProxy.
+- Removed protocol-specific handling which is now managed generically.
+- Introduced enhanced logging for SNI extraction and connection management.
+
+## 2025-03-05 - 3.25.3 - fix(core)
+Update dependencies and configuration improvements.
+
+- Upgrade TypeScript version to 5.8.2 for better compatibility.
+- Ensure all proxy and server tests pass with updated configurations.
+- Improve logging for better traceability in proxy operations.
+- Add handlers for WebSockets and HTTPS improvements.
+- Fix various issues related to proxy timeout and connection handling.
+- Update test certificates validation for better test coverage.
+
+## 2025-03-05 - 3.25.2 - fix(PortProxy)
+Adjust timeout settings and handle inactivity properly in PortProxy.
+
+- Changed initialDataTimeout default to 30 seconds for better handling of initial data reception.
+- Adjusted keepAliveInitialDelay to 30 seconds for consistent socket optimization.
+- Introduced proper inactivity handling with updated timeout logic.
+- Parity check now accounts for a 120-second threshold for outgoing socket closure.
+
+## 2025-03-05 - 3.25.1 - fix(PortProxy)
+Adjust inactivity threshold to a random value between 20 and 30 minutes for better variability
+
+- Modified inactivity threshold calculation within PortProxy to use a random value between 1.2 and 1.8 million milliseconds.
+
+## 2025-03-05 - 3.25.0 - feat(PortProxy)
+Enhanced PortProxy with detailed logging, protocol detection, and rate limiting.
+
+- Added detailed logging capabilities for connection tracking in the PortProxy.
+- Introduced protocol detection allowing HTTP and WebSocket upgrades.
+- Implemented rate limiting for connections by IP.
+- Enhanced timeout handling for various protocol-specific scenarios.
+
 ## 2025-03-05 - 3.24.0 - feat(core)
 Enhance core functionalities and test coverage for NetworkProxy and PortProxy
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.24.0",
+  "version": "3.28.6",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
   "main": "dist_ts/index.js",

readme.md

@@ -193,12 +193,14 @@ sequenceDiagram
 - **HTTPS Reverse Proxy** - Route traffic to backend services based on hostname with TLS termination
 - **WebSocket Support** - Full WebSocket proxying with heartbeat monitoring
 - **TCP Port Forwarding** - Advanced port forwarding with SNI inspection and domain-based routing
+- **Enhanced TLS Handling** - Robust TLS handshake processing with improved certificate error handling
 - **HTTP to HTTPS Redirection** - Automatically redirect HTTP requests to HTTPS
 - **Let's Encrypt Integration** - Automatic certificate management using ACME protocol
 - **IP Filtering** - Control access with IP allow/block lists using glob patterns
 - **IPTables Integration** - Direct manipulation of iptables for low-level port forwarding
 - **Basic Authentication** - Support for basic auth on proxied routes
-- **Connection Management** - Intelligent connection tracking and cleanup
+- **Connection Management** - Intelligent connection tracking and cleanup with configurable timeouts
+- **Browser Compatibility** - Optimized for modern browsers with fixes for common TLS handshake issues
 
 ## Installation
 
@@ -275,18 +277,38 @@ const portProxy = new PortProxy({
   toPort: 8443,
   targetIP: 'localhost', // Default target host
   sniEnabled: true,      // Enable SNI inspection
+  
+  // Enhanced reliability settings
+  initialDataTimeout: 60000,        // 60 seconds for initial TLS handshake
+  socketTimeout: 3600000,           // 1 hour socket timeout
+  maxConnectionLifetime: 3600000,   // 1 hour connection lifetime
+  inactivityTimeout: 3600000,       // 1 hour inactivity timeout
+  maxPendingDataSize: 10 * 1024 * 1024, // 10MB buffer for large TLS handshakes
+  
+  // Browser compatibility enhancement
+  enableTlsDebugLogging: false,     // Enable for troubleshooting TLS issues
+  
+  // Port and IP configuration
   globalPortRanges: [{ from: 443, to: 443 }],
   defaultAllowedIPs: ['*'], // Allow all IPs by default
+  
+  // Socket optimizations for better connection stability
+  noDelay: true,                    // Disable Nagle's algorithm
+  keepAlive: true,                  // Enable TCP keepalive
+  enableKeepAliveProbes: true,      // Enhanced keepalive for stability
+  
+  // Domain-specific routing configuration
   domainConfigs: [
     {
       domains: ['example.com', '*.example.com'], // Glob patterns for matching domains
       allowedIPs: ['192.168.1.*'],               // Restrict access by IP
       blockedIPs: ['192.168.1.100'],             // Block specific IPs
       targetIPs: ['10.0.0.1', '10.0.0.2'],       // Round-robin between multiple targets
-      portRanges: [{ from: 443, to: 443 }]
+      portRanges: [{ from: 443, to: 443 }],
+      connectionTimeout: 7200000                 // Domain-specific timeout (2 hours)
     }
   ],
-  maxConnectionLifetime: 3600000, // 1 hour in milliseconds
+  
   preserveSourceIP: true
 });
 
@@ -333,19 +355,31 @@ acmeHandler.addDomain('api.example.com');
 
 ### PortProxy Settings
 
-| Option                   | Description                                            | Default     |
-|--------------------------|--------------------------------------------------------|-------------|
-| `fromPort`               | Port to listen on                                      | -           |
-| `toPort`                 | Destination port to forward to                         | -           |
-| `targetIP`               | Default destination IP if not specified in domainConfig | 'localhost' |
-| `sniEnabled`             | Enable SNI inspection for TLS connections              | false       |
-| `defaultAllowedIPs`      | IP patterns allowed by default                         | -           |
-| `defaultBlockedIPs`      | IP patterns blocked by default                         | -           |
-| `preserveSourceIP`       | Preserve the original client IP                        | false       |
-| `maxConnectionLifetime`  | Maximum time in ms to keep a connection open           | 600000      |
-| `globalPortRanges`       | Array of port ranges to listen on                      | -           |
-| `forwardAllGlobalRanges` | Forward all global range connections to targetIP       | false       |
-| `gracefulShutdownTimeout`| Time in ms to wait during shutdown                     | 30000       |
+| Option                    | Description                                            | Default     |
+|---------------------------|--------------------------------------------------------|-------------|
+| `fromPort`                | Port to listen on                                      | -           |
+| `toPort`                  | Destination port to forward to                         | -           |
+| `targetIP`                | Default destination IP if not specified in domainConfig | 'localhost' |
+| `sniEnabled`              | Enable SNI inspection for TLS connections              | false       |
+| `defaultAllowedIPs`       | IP patterns allowed by default                         | -           |
+| `defaultBlockedIPs`       | IP patterns blocked by default                         | -           |
+| `preserveSourceIP`        | Preserve the original client IP                        | false       |
+| `maxConnectionLifetime`   | Maximum time in ms to keep a connection open           | 3600000     |
+| `initialDataTimeout`      | Timeout for initial data/handshake in ms               | 60000       |
+| `socketTimeout`           | Socket inactivity timeout in ms                        | 3600000     |
+| `inactivityTimeout`       | Connection inactivity check timeout in ms              | 3600000     |
+| `inactivityCheckInterval` | How often to check for inactive connections in ms      | 60000       |
+| `maxPendingDataSize`      | Maximum bytes to buffer during connection setup        | 10485760    |
+| `globalPortRanges`        | Array of port ranges to listen on                      | -           |
+| `forwardAllGlobalRanges`  | Forward all global range connections to targetIP       | false       |
+| `gracefulShutdownTimeout` | Time in ms to wait during shutdown                     | 30000       |
+| `noDelay`                 | Disable Nagle's algorithm                              | true        |
+| `keepAlive`               | Enable TCP keepalive                                   | true        |
+| `keepAliveInitialDelay`   | Initial delay before sending keepalive probes in ms    | 30000       |
+| `enableKeepAliveProbes`   | Enable enhanced TCP keep-alive probes                  | false       |
+| `enableTlsDebugLogging`   | Enable detailed TLS handshake debugging                | false       |
+| `enableDetailedLogging`   | Enable detailed connection logging                     | false       |
+| `enableRandomizedTimeouts`| Randomize timeouts slightly to prevent thundering herd | true        |
 
 ### IPTablesProxy Settings
 
@@ -359,14 +393,37 @@ acmeHandler.addDomain('api.example.com');
 
 ## Advanced Features
 
+### TLS Handshake Optimization
+
+The enhanced `PortProxy` implementation includes significant improvements for TLS handshake handling:
+
+- Robust SNI extraction with improved error handling
+- Increased buffer size for complex TLS handshakes (10MB)
+- Longer initial handshake timeout (60 seconds)
+- Detection and tracking of TLS connection states
+- Optional detailed TLS debug logging for troubleshooting
+- Browser compatibility fixes for Chrome certificate errors
+
+```typescript
+// Example configuration to solve Chrome certificate errors
+const portProxy = new PortProxy({
+  // ... other settings
+  initialDataTimeout: 60000,            // Give browser more time for handshake
+  maxPendingDataSize: 10 * 1024 * 1024, // Larger buffer for complex handshakes
+  enableTlsDebugLogging: true,          // Enable when troubleshooting
+});
+```
+
 ### Connection Management and Monitoring
 
 The `PortProxy` class includes built-in connection tracking and monitoring:
 
-- Automatic cleanup of idle connections
+- Automatic cleanup of idle connections with configurable timeouts
 - Timeouts for connections that exceed maximum lifetime
 - Detailed logging of connection states
 - Termination statistics
+- Randomized timeouts to prevent "thundering herd" problems
+- Per-domain timeout configuration
 
 ### WebSocket Support
 
@@ -385,6 +442,39 @@ The `PortProxy` class can inspect the SNI (Server Name Indication) field in TLS
 - Domain-specific allowed IP ranges
 - Protection against SNI renegotiation attacks
 
+## Troubleshooting
+
+### Browser Certificate Errors
+
+If you experience certificate errors in browsers, especially in Chrome, try these solutions:
+
+1. **Increase Initial Data Timeout**: Set `initialDataTimeout` to 60 seconds or higher
+2. **Increase Buffer Size**: Set `maxPendingDataSize` to 10MB or higher
+3. **Enable TLS Debug Logging**: Set `enableTlsDebugLogging: true` to troubleshoot handshake issues
+4. **Enable Keep-Alive Probes**: Set `enableKeepAliveProbes: true` for better connection stability
+5. **Check Certificate Chain**: Ensure your certificate chain is complete and in the correct order
+
+```typescript
+// Configuration to fix Chrome certificate errors
+const portProxy = new PortProxy({
+  // ... other settings
+  initialDataTimeout: 60000,
+  maxPendingDataSize: 10 * 1024 * 1024,
+  enableTlsDebugLogging: true,
+  enableKeepAliveProbes: true
+});
+```
+
+### Connection Stability
+
+For improved connection stability in high-traffic environments:
+
+1. **Set Appropriate Timeouts**: Use longer timeouts for long-lived connections
+2. **Use Domain-Specific Timeouts**: Configure per-domain timeouts for different types of services
+3. **Enable TCP Keep-Alive**: Ensure `keepAlive` is set to `true`
+4. **Monitor Connection Statistics**: Enable detailed logging to track termination reasons
+5. **Fine-tune Inactivity Checks**: Adjust `inactivityCheckInterval` based on your traffic patterns
+
 ## License and Legal Information
 
 This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. 
@@ -402,4 +492,4 @@ Registered at District court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or if you require further information, please contact us via email at hello@task.vc.
 
-By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

test/test.router.ts

@@ -0,0 +1,346 @@
+import { expect, tap } from '@push.rocks/tapbundle';
+import * as tsclass from '@tsclass/tsclass';
+import * as http from 'http';
+import { ProxyRouter, type IRouterResult } from '../ts/classes.router.js';
+
+// Test proxies and configurations
+let router: ProxyRouter;
+
+// Sample hostname for testing
+const TEST_DOMAIN = 'example.com';
+const TEST_SUBDOMAIN = 'api.example.com';
+const TEST_WILDCARD = '*.example.com';
+
+// Helper: Creates a mock HTTP request for testing
+function createMockRequest(host: string, url: string = '/'): http.IncomingMessage {
+  const req = {
+    headers: { host },
+    url,
+    socket: {
+      remoteAddress: '127.0.0.1'
+    }
+  } as any;
+  return req;
+}
+
+// Helper: Creates a test proxy configuration
+function createProxyConfig(
+  hostname: string, 
+  destinationIp: string = '10.0.0.1',
+  destinationPort: number = 8080
+): tsclass.network.IReverseProxyConfig {
+  return {
+    hostName: hostname,
+    destinationIp,
+    destinationPort: destinationPort.toString(), // Convert to string for IReverseProxyConfig
+    publicKey: 'mock-cert',
+    privateKey: 'mock-key'
+  } as tsclass.network.IReverseProxyConfig;
+}
+
+// SETUP: Create a ProxyRouter instance
+tap.test('setup proxy router test environment', async () => {
+  router = new ProxyRouter();
+  
+  // Initialize with empty config
+  router.setNewProxyConfigs([]);
+});
+
+// Test basic routing by hostname
+tap.test('should route requests by hostname', async () => {
+  const config = createProxyConfig(TEST_DOMAIN);
+  router.setNewProxyConfigs([config]);
+  
+  const req = createMockRequest(TEST_DOMAIN);
+  const result = router.routeReq(req);
+  
+  expect(result).toBeTruthy();
+  expect(result).toEqual(config);
+});
+
+// Test handling of hostname with port number
+tap.test('should handle hostname with port number', async () => {
+  const config = createProxyConfig(TEST_DOMAIN);
+  router.setNewProxyConfigs([config]);
+  
+  const req = createMockRequest(`${TEST_DOMAIN}:443`);
+  const result = router.routeReq(req);
+  
+  expect(result).toBeTruthy();
+  expect(result).toEqual(config);
+});
+
+// Test case-insensitive hostname matching
+tap.test('should perform case-insensitive hostname matching', async () => {
+  const config = createProxyConfig(TEST_DOMAIN.toLowerCase());
+  router.setNewProxyConfigs([config]);
+  
+  const req = createMockRequest(TEST_DOMAIN.toUpperCase());
+  const result = router.routeReq(req);
+  
+  expect(result).toBeTruthy();
+  expect(result).toEqual(config);
+});
+
+// Test handling of unmatched hostnames
+tap.test('should return undefined for unmatched hostnames', async () => {
+  const config = createProxyConfig(TEST_DOMAIN);
+  router.setNewProxyConfigs([config]);
+  
+  const req = createMockRequest('unknown.domain.com');
+  const result = router.routeReq(req);
+  
+  expect(result).toBeUndefined();
+});
+
+// Test adding path patterns
+tap.test('should match requests using path patterns', async () => {
+  const config = createProxyConfig(TEST_DOMAIN);
+  router.setNewProxyConfigs([config]);
+  
+  // Add a path pattern to the config
+  router.setPathPattern(config, '/api/users');
+  
+  // Test that path matches
+  const req1 = createMockRequest(TEST_DOMAIN, '/api/users');
+  const result1 = router.routeReqWithDetails(req1);
+  
+  expect(result1).toBeTruthy();
+  expect(result1.config).toEqual(config);
+  expect(result1.pathMatch).toEqual('/api/users');
+  
+  // Test that non-matching path doesn't match
+  const req2 = createMockRequest(TEST_DOMAIN, '/web/users');
+  const result2 = router.routeReqWithDetails(req2);
+  
+  expect(result2).toBeUndefined();
+});
+
+// Test handling wildcard patterns
+tap.test('should support wildcard path patterns', async () => {
+  const config = createProxyConfig(TEST_DOMAIN);
+  router.setNewProxyConfigs([config]);
+  
+  router.setPathPattern(config, '/api/*');
+  
+  // Test with path that matches the wildcard pattern
+  const req = createMockRequest(TEST_DOMAIN, '/api/users/123');
+  const result = router.routeReqWithDetails(req);
+  
+  expect(result).toBeTruthy();
+  expect(result.config).toEqual(config);
+  expect(result.pathMatch).toEqual('/api');
+  
+  // Print the actual value to diagnose issues
+  console.log('Path remainder value:', result.pathRemainder);
+  expect(result.pathRemainder).toBeTruthy();
+  expect(result.pathRemainder).toEqual('/users/123');
+});
+
+// Test extracting path parameters
+tap.test('should extract path parameters from URL', async () => {
+  const config = createProxyConfig(TEST_DOMAIN);
+  router.setNewProxyConfigs([config]);
+  
+  router.setPathPattern(config, '/users/:id/profile');
+  
+  const req = createMockRequest(TEST_DOMAIN, '/users/123/profile');
+  const result = router.routeReqWithDetails(req);
+  
+  expect(result).toBeTruthy();
+  expect(result.config).toEqual(config);
+  expect(result.pathParams).toBeTruthy();
+  expect(result.pathParams.id).toEqual('123');
+});
+
+// Test multiple configs for same hostname with different paths
+tap.test('should support multiple configs for same hostname with different paths', async () => {
+  const apiConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.1', 8001);
+  const webConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.2', 8002);
+  
+  // Add both configs
+  router.setNewProxyConfigs([apiConfig, webConfig]);
+  
+  // Set different path patterns
+  router.setPathPattern(apiConfig, '/api');
+  router.setPathPattern(webConfig, '/web');
+  
+  // Test API path routes to API config
+  const apiReq = createMockRequest(TEST_DOMAIN, '/api/users');
+  const apiResult = router.routeReq(apiReq);
+  
+  expect(apiResult).toEqual(apiConfig);
+  
+  // Test web path routes to web config
+  const webReq = createMockRequest(TEST_DOMAIN, '/web/dashboard');
+  const webResult = router.routeReq(webReq);
+  
+  expect(webResult).toEqual(webConfig);
+  
+  // Test unknown path returns undefined
+  const unknownReq = createMockRequest(TEST_DOMAIN, '/unknown');
+  const unknownResult = router.routeReq(unknownReq);
+  
+  expect(unknownResult).toBeUndefined();
+});
+
+// Test wildcard subdomains
+tap.test('should match wildcard subdomains', async () => {
+  const wildcardConfig = createProxyConfig(TEST_WILDCARD);
+  router.setNewProxyConfigs([wildcardConfig]);
+  
+  // Test that subdomain.example.com matches *.example.com
+  const req = createMockRequest('subdomain.example.com');
+  const result = router.routeReq(req);
+  
+  expect(result).toBeTruthy();
+  expect(result).toEqual(wildcardConfig);
+});
+
+// Test default configuration fallback
+tap.test('should fall back to default configuration', async () => {
+  const defaultConfig = createProxyConfig('*');
+  const specificConfig = createProxyConfig(TEST_DOMAIN);
+  
+  router.setNewProxyConfigs([defaultConfig, specificConfig]);
+  
+  // Test specific domain routes to specific config
+  const specificReq = createMockRequest(TEST_DOMAIN);
+  const specificResult = router.routeReq(specificReq);
+  
+  expect(specificResult).toEqual(specificConfig);
+  
+  // Test unknown domain falls back to default config
+  const unknownReq = createMockRequest('unknown.com');
+  const unknownResult = router.routeReq(unknownReq);
+  
+  expect(unknownResult).toEqual(defaultConfig);
+});
+
+// Test priority between exact and wildcard matches
+tap.test('should prioritize exact hostname over wildcard', async () => {
+  const wildcardConfig = createProxyConfig(TEST_WILDCARD);
+  const exactConfig = createProxyConfig(TEST_SUBDOMAIN);
+  
+  router.setNewProxyConfigs([wildcardConfig, exactConfig]);
+  
+  // Test that exact match takes priority
+  const req = createMockRequest(TEST_SUBDOMAIN);
+  const result = router.routeReq(req);
+  
+  expect(result).toEqual(exactConfig);
+});
+
+// Test adding and removing configurations
+tap.test('should manage configurations correctly', async () => {
+  router.setNewProxyConfigs([]);
+  
+  // Add a config
+  const config = createProxyConfig(TEST_DOMAIN);
+  router.addProxyConfig(config);
+  
+  // Verify routing works
+  const req = createMockRequest(TEST_DOMAIN);
+  let result = router.routeReq(req);
+  
+  expect(result).toEqual(config);
+  
+  // Remove the config and verify it no longer routes
+  const removed = router.removeProxyConfig(TEST_DOMAIN);
+  expect(removed).toBeTrue();
+  
+  result = router.routeReq(req);
+  expect(result).toBeUndefined();
+});
+
+// Test path pattern specificity
+tap.test('should prioritize more specific path patterns', async () => {
+  const genericConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.1', 8001);
+  const specificConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.2', 8002);
+  
+  router.setNewProxyConfigs([genericConfig, specificConfig]);
+  
+  router.setPathPattern(genericConfig, '/api/*');
+  router.setPathPattern(specificConfig, '/api/users');
+  
+  // The more specific '/api/users' should match before the '/api/*' wildcard
+  const req = createMockRequest(TEST_DOMAIN, '/api/users');
+  const result = router.routeReq(req);
+  
+  expect(result).toEqual(specificConfig);
+});
+
+// Test getHostnames method
+tap.test('should retrieve all configured hostnames', async () => {
+  router.setNewProxyConfigs([
+    createProxyConfig(TEST_DOMAIN),
+    createProxyConfig(TEST_SUBDOMAIN)
+  ]);
+  
+  const hostnames = router.getHostnames();
+  
+  expect(hostnames.length).toEqual(2);
+  expect(hostnames).toContain(TEST_DOMAIN.toLowerCase());
+  expect(hostnames).toContain(TEST_SUBDOMAIN.toLowerCase());
+});
+
+// Test handling missing host header
+tap.test('should handle missing host header', async () => {
+  const defaultConfig = createProxyConfig('*');
+  router.setNewProxyConfigs([defaultConfig]);
+  
+  const req = createMockRequest('');
+  req.headers.host = undefined;
+  
+  const result = router.routeReq(req);
+  
+  expect(result).toEqual(defaultConfig);
+});
+
+// Test complex path parameters
+tap.test('should handle complex path parameters', async () => {
+  const config = createProxyConfig(TEST_DOMAIN);
+  router.setNewProxyConfigs([config]);
+  
+  router.setPathPattern(config, '/api/:version/users/:userId/posts/:postId');
+  
+  const req = createMockRequest(TEST_DOMAIN, '/api/v1/users/123/posts/456');
+  const result = router.routeReqWithDetails(req);
+  
+  expect(result).toBeTruthy();
+  expect(result.config).toEqual(config);
+  expect(result.pathParams).toBeTruthy();
+  expect(result.pathParams.version).toEqual('v1');
+  expect(result.pathParams.userId).toEqual('123');
+  expect(result.pathParams.postId).toEqual('456');
+});
+
+// Performance test
+tap.test('should handle many configurations efficiently', async () => {
+  const configs = [];
+  
+  // Create many configs with different hostnames
+  for (let i = 0; i < 100; i++) {
+    configs.push(createProxyConfig(`host-${i}.example.com`));
+  }
+  
+  router.setNewProxyConfigs(configs);
+  
+  // Test middle of the list to avoid best/worst case
+  const req = createMockRequest('host-50.example.com');
+  const result = router.routeReq(req);
+  
+  expect(result).toEqual(configs[50]);
+});
+
+// Test cleanup
+tap.test('cleanup proxy router test environment', async () => {
+  // Clear all configurations
+  router.setNewProxyConfigs([]);
+  
+  // Verify empty state
+  expect(router.getHostnames().length).toEqual(0);
+  expect(router.getProxyConfigs().length).toEqual(0);
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.24.0',
+  version: '3.28.6',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }

ts/classes.port80handler.ts

@@ -1,6 +1,8 @@
-import * as http from 'http';
-import * as acme from 'acme-client';
+import * as plugins from './plugins.js';
 
+/**
+ * Represents a domain certificate with various status information
+ */
 interface IDomainCertificate {
   certObtained: boolean;
   obtainingInProgress: boolean;
@@ -8,27 +10,147 @@ interface IDomainCertificate {
   privateKey?: string;
   challengeToken?: string;
   challengeKeyAuthorization?: string;
+  expiryDate?: Date;
+  lastRenewalAttempt?: Date;
 }
 
-export class Port80Handler {
+/**
+ * Configuration options for the ACME Certificate Manager
+ */
+interface IAcmeCertManagerOptions {
+  port?: number;
+  contactEmail?: string;
+  useProduction?: boolean;
+  renewThresholdDays?: number;
+  httpsRedirectPort?: number;
+  renewCheckIntervalHours?: number;
+}
+
+/**
+ * Certificate data that can be emitted via events or set from outside
+ */
+interface ICertificateData {
+  domain: string;
+  certificate: string;
+  privateKey: string;
+  expiryDate: Date;
+}
+
+/**
+ * Events emitted by the ACME Certificate Manager
+ */
+export enum CertManagerEvents {
+  CERTIFICATE_ISSUED = 'certificate-issued',
+  CERTIFICATE_RENEWED = 'certificate-renewed',
+  CERTIFICATE_FAILED = 'certificate-failed',
+  CERTIFICATE_EXPIRING = 'certificate-expiring',
+  MANAGER_STARTED = 'manager-started',
+  MANAGER_STOPPED = 'manager-stopped',
+}
+
+/**
+ * Improved ACME Certificate Manager with event emission and external certificate management
+ */
+export class AcmeCertManager extends plugins.EventEmitter {
   private domainCertificates: Map<string, IDomainCertificate>;
-  private server: http.Server;
-  private acmeClient: acme.Client | null = null;
+  private server: plugins.http.Server | null = null;
+  private acmeClient: plugins.acme.Client | null = null;
   private accountKey: string | null = null;
+  private renewalTimer: NodeJS.Timeout | null = null;
+  private isShuttingDown: boolean = false;
+  private options: Required<IAcmeCertManagerOptions>;
 
-  constructor() {
+  /**
+   * Creates a new ACME Certificate Manager
+   * @param options Configuration options
+   */
+  constructor(options: IAcmeCertManagerOptions = {}) {
+    super();
     this.domainCertificates = new Map<string, IDomainCertificate>();
+    
+    // Default options
+    this.options = {
+      port: options.port ?? 80,
+      contactEmail: options.contactEmail ?? 'admin@example.com',
+      useProduction: options.useProduction ?? false, // Safer default: staging
+      renewThresholdDays: options.renewThresholdDays ?? 30,
+      httpsRedirectPort: options.httpsRedirectPort ?? 443,
+      renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
+    };
+  }
 
-    // Create and start an HTTP server on port 80.
-    this.server = http.createServer((req, res) => this.handleRequest(req, res));
-    this.server.listen(80, () => {
-      console.log('Port80Handler is listening on port 80');
+  /**
+   * Starts the HTTP server for ACME challenges
+   */
+  public async start(): Promise<void> {
+    if (this.server) {
+      throw new Error('Server is already running');
+    }
+    
+    if (this.isShuttingDown) {
+      throw new Error('Server is shutting down');
+    }
+
+    return new Promise((resolve, reject) => {
+      try {
+        this.server = plugins.http.createServer((req, res) => this.handleRequest(req, res));
+        
+        this.server.on('error', (error: NodeJS.ErrnoException) => {
+          if (error.code === 'EACCES') {
+            reject(new Error(`Permission denied to bind to port ${this.options.port}. Try running with elevated privileges or use a port > 1024.`));
+          } else if (error.code === 'EADDRINUSE') {
+            reject(new Error(`Port ${this.options.port} is already in use.`));
+          } else {
+            reject(error);
+          }
+        });
+        
+        this.server.listen(this.options.port, () => {
+          console.log(`AcmeCertManager is listening on port ${this.options.port}`);
+          this.startRenewalTimer();
+          this.emit(CertManagerEvents.MANAGER_STARTED, this.options.port);
+          resolve();
+        });
+      } catch (error) {
+        reject(error);
+      }
     });
   }
 
   /**
-   * Adds a domain to be managed.
-   * @param domain The domain to add.
+   * Stops the HTTP server and renewal timer
+   */
+  public async stop(): Promise<void> {
+    if (!this.server) {
+      return;
+    }
+    
+    this.isShuttingDown = true;
+    
+    // Stop the renewal timer
+    if (this.renewalTimer) {
+      clearInterval(this.renewalTimer);
+      this.renewalTimer = null;
+    }
+
+    return new Promise<void>((resolve) => {
+      if (this.server) {
+        this.server.close(() => {
+          this.server = null;
+          this.isShuttingDown = false;
+          this.emit(CertManagerEvents.MANAGER_STOPPED);
+          resolve();
+        });
+      } else {
+        this.isShuttingDown = false;
+        resolve();
+      }
+    });
+  }
+
+  /**
+   * Adds a domain to be managed for certificates
+   * @param domain The domain to add
    */
   public addDomain(domain: string): void {
     if (!this.domainCertificates.has(domain)) {
@@ -38,55 +160,126 @@ export class Port80Handler {
   }
 
   /**
-   * Removes a domain from management.
-   * @param domain The domain to remove.
+   * Removes a domain from management
+   * @param domain The domain to remove
    */
   public removeDomain(domain: string): void {
     if (this.domainCertificates.delete(domain)) {
       console.log(`Domain removed: ${domain}`);
     }
   }
+  
+  /**
+   * Sets a certificate for a domain directly (for externally obtained certificates)
+   * @param domain The domain for the certificate
+   * @param certificate The certificate (PEM format)
+   * @param privateKey The private key (PEM format)
+   * @param expiryDate Optional expiry date
+   */
+  public setCertificate(domain: string, certificate: string, privateKey: string, expiryDate?: Date): void {
+    let domainInfo = this.domainCertificates.get(domain);
+    
+    if (!domainInfo) {
+      domainInfo = { certObtained: false, obtainingInProgress: false };
+      this.domainCertificates.set(domain, domainInfo);
+    }
+    
+    domainInfo.certificate = certificate;
+    domainInfo.privateKey = privateKey;
+    domainInfo.certObtained = true;
+    domainInfo.obtainingInProgress = false;
+    
+    if (expiryDate) {
+      domainInfo.expiryDate = expiryDate;
+    } else {
+      // Try to extract expiry date from certificate
+      try {
+        // This is a simplistic approach - in a real implementation, use a proper
+        // certificate parsing library like node-forge or x509
+        const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
+        if (matches && matches[1]) {
+          domainInfo.expiryDate = new Date(matches[1]);
+        }
+      } catch (error) {
+        console.warn(`Failed to extract expiry date from certificate for ${domain}`);
+      }
+    }
+    
+    console.log(`Certificate set for ${domain}`);
+    
+    // Emit certificate event
+    this.emitCertificateEvent(CertManagerEvents.CERTIFICATE_ISSUED, {
+      domain,
+      certificate,
+      privateKey,
+      expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default
+    });
+  }
+  
+  /**
+   * Gets the certificate for a domain if it exists
+   * @param domain The domain to get the certificate for
+   */
+  public getCertificate(domain: string): ICertificateData | null {
+    const domainInfo = this.domainCertificates.get(domain);
+    
+    if (!domainInfo || !domainInfo.certObtained || !domainInfo.certificate || !domainInfo.privateKey) {
+      return null;
+    }
+    
+    return {
+      domain,
+      certificate: domainInfo.certificate,
+      privateKey: domainInfo.privateKey,
+      expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default
+    };
+  }
 
   /**
-   * Lazy initialization of the ACME client.
-   * Uses Let’s Encrypt’s production directory (for testing you might switch to staging).
+   * Lazy initialization of the ACME client
+   * @returns An ACME client instance
    */
-  private async getAcmeClient(): Promise<acme.Client> {
+  private async getAcmeClient(): Promise<plugins.acme.Client> {
     if (this.acmeClient) {
       return this.acmeClient;
     }
-    // Generate a new account key and convert Buffer to string.
-    this.accountKey = (await acme.forge.createPrivateKey()).toString();
-    this.acmeClient = new acme.Client({
-      directoryUrl: acme.directory.letsencrypt.production, // Use production for a real certificate
-      // For testing, you could use:
-      // directoryUrl: acme.directory.letsencrypt.staging,
+    
+    // Generate a new account key
+    this.accountKey = (await plugins.acme.forge.createPrivateKey()).toString();
+    
+    this.acmeClient = new plugins.acme.Client({
+      directoryUrl: this.options.useProduction 
+        ? plugins.acme.directory.letsencrypt.production 
+        : plugins.acme.directory.letsencrypt.staging,
       accountKey: this.accountKey,
     });
-    // Create a new account. Make sure to update the contact email.
+    
+    // Create a new account
     await this.acmeClient.createAccount({
       termsOfServiceAgreed: true,
-      contact: ['mailto:admin@example.com'],
+      contact: [`mailto:${this.options.contactEmail}`],
     });
+    
     return this.acmeClient;
   }
 
   /**
-   * Handles incoming HTTP requests on port 80.
-   * If the request is for an ACME challenge, it responds with the key authorization.
-   * If the domain has a certificate, it redirects to HTTPS; otherwise, it initiates certificate issuance.
+   * Handles incoming HTTP requests
+   * @param req The HTTP request
+   * @param res The HTTP response
    */
-  private handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
+  private handleRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
     const hostHeader = req.headers.host;
     if (!hostHeader) {
       res.statusCode = 400;
       res.end('Bad Request: Host header is missing');
       return;
     }
+    
     // Extract domain (ignoring any port in the Host header)
     const domain = hostHeader.split(':')[0];
 
-    // If the request is for an ACME HTTP-01 challenge, handle it.
+    // If the request is for an ACME HTTP-01 challenge, handle it
     if (req.url && req.url.startsWith('/.well-known/acme-challenge/')) {
       this.handleAcmeChallenge(req, res, domain);
       return;
@@ -100,38 +293,47 @@ export class Port80Handler {
 
     const domainInfo = this.domainCertificates.get(domain)!;
 
-    // If certificate exists, redirect to HTTPS on port 443.
+    // If certificate exists, redirect to HTTPS
     if (domainInfo.certObtained) {
-      const redirectUrl = `https://${domain}:443${req.url}`;
+      const httpsPort = this.options.httpsRedirectPort;
+      const portSuffix = httpsPort === 443 ? '' : `:${httpsPort}`;
+      const redirectUrl = `https://${domain}${portSuffix}${req.url || '/'}`;
+      
       res.statusCode = 301;
       res.setHeader('Location', redirectUrl);
       res.end(`Redirecting to ${redirectUrl}`);
     } else {
-      // Trigger certificate issuance if not already running.
+      // Trigger certificate issuance if not already running
       if (!domainInfo.obtainingInProgress) {
-        domainInfo.obtainingInProgress = true;
         this.obtainCertificate(domain).catch(err => {
+          this.emit(CertManagerEvents.CERTIFICATE_FAILED, { domain, error: err.message });
           console.error(`Error obtaining certificate for ${domain}:`, err);
         });
       }
+      
       res.statusCode = 503;
       res.end('Certificate issuance in progress, please try again later.');
     }
   }
 
   /**
-   * Serves the ACME HTTP-01 challenge response.
+   * Serves the ACME HTTP-01 challenge response
+   * @param req The HTTP request
+   * @param res The HTTP response
+   * @param domain The domain for the challenge
    */
-  private handleAcmeChallenge(req: http.IncomingMessage, res: http.ServerResponse, domain: string): void {
+  private handleAcmeChallenge(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse, domain: string): void {
     const domainInfo = this.domainCertificates.get(domain);
     if (!domainInfo) {
       res.statusCode = 404;
       res.end('Domain not configured');
       return;
     }
-    // The token is the last part of the URL.
+    
+    // The token is the last part of the URL
     const urlParts = req.url?.split('/');
     const token = urlParts ? urlParts[urlParts.length - 1] : '';
+    
     if (domainInfo.challengeToken === token && domainInfo.challengeKeyAuthorization) {
       res.statusCode = 200;
       res.setHeader('Content-Type', 'text/plain');
@@ -144,71 +346,214 @@ export class Port80Handler {
   }
 
   /**
-   * Uses acme-client to perform a full ACME HTTP-01 challenge to obtain a certificate.
-   * On success, it stores the certificate and key in memory and clears challenge data.
+   * Obtains a certificate for a domain using ACME HTTP-01 challenge
+   * @param domain The domain to obtain a certificate for
+   * @param isRenewal Whether this is a renewal attempt
    */
-  private async obtainCertificate(domain: string): Promise<void> {
+  private async obtainCertificate(domain: string, isRenewal: boolean = false): Promise<void> {
+    // Get the domain info
+    const domainInfo = this.domainCertificates.get(domain);
+    if (!domainInfo) {
+      throw new Error(`Domain not found: ${domain}`);
+    }
+    
+    // Prevent concurrent certificate issuance
+    if (domainInfo.obtainingInProgress) {
+      console.log(`Certificate issuance already in progress for ${domain}`);
+      return;
+    }
+    
+    domainInfo.obtainingInProgress = true;
+    domainInfo.lastRenewalAttempt = new Date();
+    
     try {
       const client = await this.getAcmeClient();
 
-      // Create a new order for the domain.
+      // Create a new order for the domain
       const order = await client.createOrder({
         identifiers: [{ type: 'dns', value: domain }],
       });
 
-      // Get the authorizations for the order.
+      // Get the authorizations for the order
       const authorizations = await client.getAuthorizations(order);
+      
       for (const authz of authorizations) {
         const challenge = authz.challenges.find(ch => ch.type === 'http-01');
         if (!challenge) {
           throw new Error('HTTP-01 challenge not found');
         }
-        // Get the key authorization for the challenge.
+        
+        // Get the key authorization for the challenge
         const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
-        const domainInfo = this.domainCertificates.get(domain)!;
+        
+        // Store the challenge data
         domainInfo.challengeToken = challenge.token;
         domainInfo.challengeKeyAuthorization = keyAuthorization;
 
-        // Notify the ACME server that the challenge is ready.
-        // The acme-client examples show that verifyChallenge takes three arguments:
-        // (authorization, challenge, keyAuthorization). However, the official TypeScript
-        // types appear to be out-of-sync. As a workaround, we cast client to 'any'.
-        await (client as any).verifyChallenge(authz, challenge, keyAuthorization);
-
-        await client.completeChallenge(challenge);
-        // Wait until the challenge is validated.
-        await client.waitForValidStatus(challenge);
-        console.log(`HTTP-01 challenge completed for ${domain}`);
+        // ACME client type definition workaround - use compatible approach
+        // First check if challenge verification is needed
+        const authzUrl = authz.url;
+        
+        try {
+          // Check if authzUrl exists and perform verification
+          if (authzUrl) {
+            await client.verifyChallenge(authz, challenge);
+          }
+          
+          // Complete the challenge
+          await client.completeChallenge(challenge);
+          
+          // Wait for validation
+          await client.waitForValidStatus(challenge);
+          console.log(`HTTP-01 challenge completed for ${domain}`);
+        } catch (error) {
+          console.error(`Challenge error for ${domain}:`, error);
+          throw error;
+        }
       }
 
-      // Generate a CSR and a new private key for the domain.
-      // Convert the resulting Buffers to strings.
-      const [csrBuffer, privateKeyBuffer] = await acme.forge.createCsr({
+      // Generate a CSR and private key
+      const [csrBuffer, privateKeyBuffer] = await plugins.acme.forge.createCsr({
         commonName: domain,
       });
+      
       const csr = csrBuffer.toString();
       const privateKey = privateKeyBuffer.toString();
 
-      // Finalize the order and obtain the certificate.
+      // Finalize the order with our CSR
       await client.finalizeOrder(order, csr);
+      
+      // Get the certificate with the full chain
       const certificate = await client.getCertificate(order);
 
-      const domainInfo = this.domainCertificates.get(domain)!;
+      // Store the certificate and key
       domainInfo.certificate = certificate;
       domainInfo.privateKey = privateKey;
       domainInfo.certObtained = true;
-      domainInfo.obtainingInProgress = false;
+      
+      // Clear challenge data
       delete domainInfo.challengeToken;
       delete domainInfo.challengeKeyAuthorization;
+      
+      // Extract expiry date from certificate
+      try {
+        const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
+        if (matches && matches[1]) {
+          domainInfo.expiryDate = new Date(matches[1]);
+          console.log(`Certificate for ${domain} will expire on ${domainInfo.expiryDate.toISOString()}`);
+        }
+      } catch (error) {
+        console.warn(`Failed to extract expiry date from certificate for ${domain}`);
+      }
 
-      console.log(`Certificate obtained for ${domain}`);
-      // In a production system, persist the certificate and key and reload your TLS server.
-    } catch (error) {
-      console.error(`Error during certificate issuance for ${domain}:`, error);
-      const domainInfo = this.domainCertificates.get(domain);
-      if (domainInfo) {
-        domainInfo.obtainingInProgress = false;
+      console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`);
+      
+      // Emit the appropriate event
+      const eventType = isRenewal 
+        ? CertManagerEvents.CERTIFICATE_RENEWED 
+        : CertManagerEvents.CERTIFICATE_ISSUED;
+      
+      this.emitCertificateEvent(eventType, {
+        domain,
+        certificate,
+        privateKey,
+        expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default
+      });
+      
+    } catch (error: any) {
+      // Check for rate limit errors
+      if (error.message && (
+        error.message.includes('rateLimited') || 
+        error.message.includes('too many certificates') || 
+        error.message.includes('rate limit')
+      )) {
+        console.error(`Rate limit reached for ${domain}. Waiting before retry.`);
+      } else {
+        console.error(`Error during certificate issuance for ${domain}:`, error);
+      }
+      
+      // Emit failure event
+      this.emit(CertManagerEvents.CERTIFICATE_FAILED, {
+        domain,
+        error: error.message || 'Unknown error',
+        isRenewal
+      });
+    } finally {
+      // Reset flag whether successful or not
+      domainInfo.obtainingInProgress = false;
+    }
+  }
+
+  /**
+   * Starts the certificate renewal timer
+   */
+  private startRenewalTimer(): void {
+    if (this.renewalTimer) {
+      clearInterval(this.renewalTimer);
+    }
+    
+    // Convert hours to milliseconds
+    const checkInterval = this.options.renewCheckIntervalHours * 60 * 60 * 1000;
+    
+    this.renewalTimer = setInterval(() => this.checkForRenewals(), checkInterval);
+    
+    // Prevent the timer from keeping the process alive
+    if (this.renewalTimer.unref) {
+      this.renewalTimer.unref();
+    }
+    
+    console.log(`Certificate renewal check scheduled every ${this.options.renewCheckIntervalHours} hours`);
+  }
+
+  /**
+   * Checks for certificates that need renewal
+   */
+  private checkForRenewals(): void {
+    if (this.isShuttingDown) {
+      return;
+    }
+    
+    console.log('Checking for certificates that need renewal...');
+    
+    const now = new Date();
+    const renewThresholdMs = this.options.renewThresholdDays * 24 * 60 * 60 * 1000;
+    
+    for (const [domain, domainInfo] of this.domainCertificates.entries()) {
+      // Skip domains without certificates or already in renewal
+      if (!domainInfo.certObtained || domainInfo.obtainingInProgress) {
+        continue;
+      }
+      
+      // Skip domains without expiry dates
+      if (!domainInfo.expiryDate) {
+        continue;
+      }
+      
+      const timeUntilExpiry = domainInfo.expiryDate.getTime() - now.getTime();
+      
+      // Check if certificate is near expiry
+      if (timeUntilExpiry <= renewThresholdMs) {
+        console.log(`Certificate for ${domain} expires soon, renewing...`);
+        this.emit(CertManagerEvents.CERTIFICATE_EXPIRING, {
+          domain,
+          expiryDate: domainInfo.expiryDate,
+          daysRemaining: Math.ceil(timeUntilExpiry / (24 * 60 * 60 * 1000))
+        });
+        
+        // Start renewal process
+        this.obtainCertificate(domain, true).catch(err => {
+          console.error(`Error renewing certificate for ${domain}:`, err);
+        });
       }
     }
   }
-}
+  
+  /**
+   * Emits a certificate event with the certificate data
+   * @param eventType The event type to emit
+   * @param data The certificate data
+   */
+  private emitCertificateEvent(eventType: CertManagerEvents, data: ICertificateData): void {
+    this.emit(eventType, data);
+  }
+}

ts/classes.router.ts

@@ -1,33 +1,351 @@
-import * as plugins from './plugins.js';
+import * as http from 'http';
+import * as url from 'url';
+import * as tsclass from '@tsclass/tsclass';
+
+/**
+ * Optional path pattern configuration that can be added to proxy configs
+ */
+export interface IPathPatternConfig {
+  pathPattern?: string;
+}
+
+/**
+ * Interface for router result with additional metadata
+ */
+export interface IRouterResult {
+  config: tsclass.network.IReverseProxyConfig;
+  pathMatch?: string;
+  pathParams?: Record<string, string>;
+  pathRemainder?: string;
+}
 
 export class ProxyRouter {
-  public reverseProxyConfigs: plugins.tsclass.network.IReverseProxyConfig[] = [];
+  // Store original configs for reference
+  private reverseProxyConfigs: tsclass.network.IReverseProxyConfig[] = [];
+  // Default config to use when no match is found (optional)
+  private defaultConfig?: tsclass.network.IReverseProxyConfig;
+  // Store path patterns separately since they're not in the original interface
+  private pathPatterns: Map<tsclass.network.IReverseProxyConfig, string> = new Map();
+  // Logger interface
+  private logger: { 
+    error: (message: string, data?: any) => void;
+    warn: (message: string, data?: any) => void;
+    info: (message: string, data?: any) => void;
+    debug: (message: string, data?: any) => void;
+  };
 
-  /**
-   * sets a new set of reverse configs to be routed to
-   * @param reverseCandidatesArg
-   */
-  public setNewProxyConfigs(reverseCandidatesArg: plugins.tsclass.network.IReverseProxyConfig[]) {
-    this.reverseProxyConfigs = reverseCandidatesArg;
+  constructor(
+    configs?: tsclass.network.IReverseProxyConfig[],
+    logger?: { 
+      error: (message: string, data?: any) => void;
+      warn: (message: string, data?: any) => void;
+      info: (message: string, data?: any) => void;
+      debug: (message: string, data?: any) => void;
+    }
+  ) {
+    this.logger = logger || console;
+    if (configs) {
+      this.setNewProxyConfigs(configs);
+    }
   }
 
   /**
-   * routes a request
+   * Sets a new set of reverse configs to be routed to
+   * @param reverseCandidatesArg Array of reverse proxy configurations
    */
-  public routeReq(req: plugins.http.IncomingMessage): plugins.tsclass.network.IReverseProxyConfig {
+  public setNewProxyConfigs(reverseCandidatesArg: tsclass.network.IReverseProxyConfig[]): void {
+    this.reverseProxyConfigs = [...reverseCandidatesArg];
+    
+    // Find default config if any (config with "*" as hostname)
+    this.defaultConfig = this.reverseProxyConfigs.find(config => config.hostName === '*');
+    
+    this.logger.info(`Router initialized with ${this.reverseProxyConfigs.length} configs (${this.getHostnames().length} unique hosts)`);
+  }
+
+  /**
+   * Routes a request based on hostname and path
+   * @param req The incoming HTTP request
+   * @returns The matching proxy config or undefined if no match found
+   */
+  public routeReq(req: http.IncomingMessage): tsclass.network.IReverseProxyConfig {
+    const result = this.routeReqWithDetails(req);
+    return result ? result.config : undefined;
+  }
+  
+  /**
+   * Routes a request with detailed matching information
+   * @param req The incoming HTTP request
+   * @returns Detailed routing result including matched config and path information
+   */
+  public routeReqWithDetails(req: http.IncomingMessage): IRouterResult | undefined {
+    // Extract and validate host header
     const originalHost = req.headers.host;
     if (!originalHost) {
-      console.error('No host header found in request');
+      this.logger.error('No host header found in request');
+      return this.defaultConfig ? { config: this.defaultConfig } : undefined;
+    }
+    
+    // Parse URL for path matching
+    const parsedUrl = url.parse(req.url || '/');
+    const urlPath = parsedUrl.pathname || '/';
+    
+    // Extract hostname without port
+    const hostWithoutPort = originalHost.split(':')[0].toLowerCase();
+    
+    // First try exact hostname match
+    const exactConfig = this.findConfigForHost(hostWithoutPort, urlPath);
+    if (exactConfig) {
+      return exactConfig;
+    }
+    
+    // Try wildcard subdomain
+    if (hostWithoutPort.includes('.')) {
+      const domainParts = hostWithoutPort.split('.');
+      if (domainParts.length > 2) {
+        const wildcardDomain = `*.${domainParts.slice(1).join('.')}`;
+        const wildcardConfig = this.findConfigForHost(wildcardDomain, urlPath);
+        if (wildcardConfig) {
+          return wildcardConfig;
+        }
+      }
+    }
+    
+    // Fall back to default config if available
+    if (this.defaultConfig) {
+      this.logger.warn(`No specific config found for host: ${hostWithoutPort}, using default`);
+      return { config: this.defaultConfig };
+    }
+    
+    this.logger.error(`No config found for host: ${hostWithoutPort}`);
+    return undefined;
+  }
+  
+  /**
+   * Find a config for a specific host and path
+   */
+  private findConfigForHost(hostname: string, path: string): IRouterResult | undefined {
+    // Find all configs for this hostname
+    const configs = this.reverseProxyConfigs.filter(
+      config => config.hostName.toLowerCase() === hostname.toLowerCase()
+    );
+    
+    if (configs.length === 0) {
       return undefined;
     }
-    // Strip port from host if present
-    const hostWithoutPort = originalHost.split(':')[0];
-    const correspodingReverseProxyConfig = this.reverseProxyConfigs.find((reverseConfig) => {
-      return reverseConfig.hostName === hostWithoutPort;
+    
+    // First try configs with path patterns
+    const configsWithPaths = configs.filter(config => this.pathPatterns.has(config));
+    
+    // Sort by path pattern specificity - more specific first
+    configsWithPaths.sort((a, b) => {
+      const aPattern = this.pathPatterns.get(a) || '';
+      const bPattern = this.pathPatterns.get(b) || '';
+      
+      // Exact patterns come before wildcard patterns
+      const aHasWildcard = aPattern.includes('*');
+      const bHasWildcard = bPattern.includes('*');
+      
+      if (aHasWildcard && !bHasWildcard) return 1;
+      if (!aHasWildcard && bHasWildcard) return -1;
+      
+      // Longer patterns are considered more specific
+      return bPattern.length - aPattern.length;
     });
-    if (!correspodingReverseProxyConfig) {
-      console.error(`No config found for host: ${hostWithoutPort}`);
+    
+    // Check each config with path pattern
+    for (const config of configsWithPaths) {
+      const pathPattern = this.pathPatterns.get(config);
+      if (pathPattern) {
+        const pathMatch = this.matchPath(path, pathPattern);
+        if (pathMatch) {
+          return {
+            config,
+            pathMatch: pathMatch.matched,
+            pathParams: pathMatch.params,
+            pathRemainder: pathMatch.remainder
+          };
+        }
+      }
     }
-    return correspodingReverseProxyConfig;
+    
+    // If no path pattern matched, use the first config without a path pattern
+    const configWithoutPath = configs.find(config => !this.pathPatterns.has(config));
+    if (configWithoutPath) {
+      return { config: configWithoutPath };
+    }
+    
+    return undefined;
   }
-}
+  
+  /**
+   * Matches a URL path against a pattern
+   * Supports:
+   * - Exact matches: /users/profile
+   * - Wildcards: /api/* (matches any path starting with /api/)
+   * - Path parameters: /users/:id (captures id as a parameter)
+   * 
+   * @param path The URL path to match
+   * @param pattern The pattern to match against
+   * @returns Match result with params and remainder, or null if no match
+   */
+  private matchPath(path: string, pattern: string): { 
+    matched: string; 
+    params: Record<string, string>; 
+    remainder: string;
+  } | null {
+    // Handle exact match
+    if (path === pattern) {
+      return {
+        matched: pattern,
+        params: {},
+        remainder: ''
+      };
+    }
+    
+    // Handle wildcard match
+    if (pattern.endsWith('/*')) {
+      const prefix = pattern.slice(0, -2);
+      if (path === prefix || path.startsWith(`${prefix}/`)) {
+        return {
+          matched: prefix,
+          params: {},
+          remainder: path.slice(prefix.length)
+        };
+      }
+      return null;
+    }
+    
+    // Handle path parameters
+    const patternParts = pattern.split('/').filter(p => p);
+    const pathParts = path.split('/').filter(p => p);
+    
+    // Too few path parts to match
+    if (pathParts.length < patternParts.length) {
+      return null;
+    }
+    
+    const params: Record<string, string> = {};
+    
+    // Compare each part
+    for (let i = 0; i < patternParts.length; i++) {
+      const patternPart = patternParts[i];
+      const pathPart = pathParts[i];
+      
+      // Handle parameter
+      if (patternPart.startsWith(':')) {
+        const paramName = patternPart.slice(1);
+        params[paramName] = pathPart;
+        continue;
+      }
+      
+      // Handle wildcard at the end
+      if (patternPart === '*' && i === patternParts.length - 1) {
+        break;
+      }
+      
+      // Handle exact match for this part
+      if (patternPart !== pathPart) {
+        return null;
+      }
+    }
+    
+    // Calculate the remainder - the unmatched path parts
+    const remainderParts = pathParts.slice(patternParts.length);
+    const remainder = remainderParts.length ? '/' + remainderParts.join('/') : '';
+    
+    // Calculate the matched path
+    const matchedParts = patternParts.map((part, i) => {
+      return part.startsWith(':') ? pathParts[i] : part;
+    });
+    const matched = '/' + matchedParts.join('/');
+    
+    return {
+      matched,
+      params,
+      remainder
+    };
+  }
+  
+  /**
+   * Gets all currently active proxy configurations
+   * @returns Array of all active configurations
+   */
+  public getProxyConfigs(): tsclass.network.IReverseProxyConfig[] {
+    return [...this.reverseProxyConfigs];
+  }
+  
+  /**
+   * Gets all hostnames that this router is configured to handle
+   * @returns Array of hostnames
+   */
+  public getHostnames(): string[] {
+    const hostnames = new Set<string>();
+    for (const config of this.reverseProxyConfigs) {
+      if (config.hostName !== '*') {
+        hostnames.add(config.hostName.toLowerCase());
+      }
+    }
+    return Array.from(hostnames);
+  }
+  
+  /**
+   * Adds a single new proxy configuration
+   * @param config The configuration to add
+   * @param pathPattern Optional path pattern for route matching
+   */
+  public addProxyConfig(
+    config: tsclass.network.IReverseProxyConfig, 
+    pathPattern?: string
+  ): void {
+    this.reverseProxyConfigs.push(config);
+    
+    // Store path pattern if provided
+    if (pathPattern) {
+      this.pathPatterns.set(config, pathPattern);
+    }
+  }
+  
+  /**
+   * Sets a path pattern for an existing config
+   * @param config The existing configuration
+   * @param pathPattern The path pattern to set
+   * @returns Boolean indicating if the config was found and updated
+   */
+  public setPathPattern(
+    config: tsclass.network.IReverseProxyConfig, 
+    pathPattern: string
+  ): boolean {
+    const exists = this.reverseProxyConfigs.includes(config);
+    if (exists) {
+      this.pathPatterns.set(config, pathPattern);
+      return true;
+    }
+    return false;
+  }
+  
+  /**
+   * Removes a proxy configuration by hostname
+   * @param hostname The hostname to remove
+   * @returns Boolean indicating whether any configs were removed
+   */
+  public removeProxyConfig(hostname: string): boolean {
+    const initialCount = this.reverseProxyConfigs.length;
+    
+    // Find configs to remove
+    const configsToRemove = this.reverseProxyConfigs.filter(
+      config => config.hostName === hostname
+    );
+    
+    // Remove them from the patterns map
+    for (const config of configsToRemove) {
+      this.pathPatterns.delete(config);
+    }
+    
+    // Filter them out of the configs array
+    this.reverseProxyConfigs = this.reverseProxyConfigs.filter(
+      config => config.hostName !== hostname
+    );
+    
+    return this.reverseProxyConfigs.length !== initialCount;
+  }
+}

ts/plugins.ts

@@ -1,11 +1,13 @@
 // node native scope
+import { EventEmitter } from 'events';
 import * as http from 'http';
 import * as https from 'https';
 import * as net from 'net';
 import * as tls from 'tls';
 import * as url from 'url';
 
-export { http, https, net, tls, url };
+
+export { EventEmitter, http, https, net, tls, url };
 
 // tsclass scope
 import * as tsclass from '@tsclass/tsclass';
@@ -22,9 +24,10 @@ import * as smartstring from '@push.rocks/smartstring';
 export { lik, smartdelay, smartrequest, smartpromise, smartstring };
 
 // third party scope
+import * as acme from 'acme-client';
 import prettyMs from 'pretty-ms';
 import * as ws from 'ws';
 import wsDefault from 'ws';
 import { minimatch } from 'minimatch';
 
-export { prettyMs, ws, wsDefault, minimatch };
+export { acme, prettyMs, ws, wsDefault, minimatch };