4.1.10

- Renamed port proxy and SNI handler source files to classes.pp.portproxy.js and classes.pp.snihandler.js respectively
- Updated import paths in index.ts and test files (e.g. in test.ts and test.router.ts) to reference the new file names
- This refactor improves code organization but breaks direct imports from the old paths

changelog.md

@@ -1,5 +1,392 @@
 # Changelog
 
+## 2025-03-16 - 4.1.10 - fix(connectionhandler)
+Increase delay timings for TLS alert transmission in session ticket blocking to allow graceful socket termination
+
+- Updated finishConnection: replaced immediate socket.destroy with a graceful end call
+- Increased delay after successful write from 50ms to 200ms to allow alert processing
+- Raised safety timeout from 250ms to 400ms when waiting for 'drain' event
+
+## 2025-03-16 - 4.1.9 - fix(ConnectionHandler)
+Replace closeNotify alert with handshake failure alert in TLS ClientHello handling to properly signal missing SNI and enforce session ticket restrictions.
+
+- Switched alert data sent on missing SNI from closeNotifyAlert to sslHandshakeFailureAlertData.
+- Ensures consistent TLS alert behavior during handshake failure.
+
+## 2025-03-16 - 4.1.8 - fix(ConnectionHandler/tls)
+Change the TLS alert sent when a ClientHello lacks SNI: use the close_notify alert instead of handshake_failure to prompt immediate retry with SNI.
+
+- Replaced the previously sent handshake_failure alert (code 0x28) with a close_notify alert (code 0x00) in the TLS session resumption handling in ConnectionHandler.
+- This change encourages clients to immediately retry and include SNI when allowSessionTicket is false.
+
+## 2025-03-16 - 4.1.7 - fix(classes.pp.connectionhandler)
+Improve TLS alert handling in ClientHello when SNI is missing and session tickets are disallowed
+
+- Replace the unrecognized_name alert with a handshake_failure alert to ensure better client behavior.
+- Refactor the alert sending mechanism using cork/uncork and add a safety timeout for the drain event.
+- Enhance logging for debugging TLS handshake failures when SNI is absent.
+
+## 2025-03-16 - 4.1.6 - fix(tls)
+Refine TLS ClientHello handling when allowSessionTicket is false by replacing extensive alert timeout logic with a concise warning alert and short delay, encouraging immediate client retry with proper SNI
+
+- Update the TLS alert sending mechanism to use cork/uncork and a short, fixed delay instead of long timeouts
+- Remove redundant event listeners and excessive cleanup logic after sending the alert
+- Improve code clarity and encourage clients (e.g., Chrome) to retry handshake with SNI more responsively
+
+## 2025-03-16 - 4.1.5 - fix(TLS/ConnectionHandler)
+Improve handling of TLS session resumption without SNI by sending an 'unrecognized_name' alert instead of immediately terminating the connection. This change adds a grace period for the client to retry the handshake with proper SNI and cleans up the connection if no valid response is received.
+
+- Send a TLS warning (unrecognized_name alert, code 112) when a ClientHello is received without SNI and session tickets are disallowed.
+- Utilize socket cork/uncork to ensure the alert is sent as a single packet.
+- Add a 5-second alert timeout and a subsequent 30-second grace period to allow clients to initiate a new handshake with SNI.
+- Clean up and terminate the connection if no valid SNI is provided after the grace period, logging appropriate termination reasons.
+
+## 2025-03-15 - 4.1.4 - fix(ConnectionHandler)
+Refactor ConnectionHandler code formatting for improved readability and consistency in log messages and whitespace handling
+
+- Standardized indentation and spacing in method signatures and log statements
+- Aligned inline comments and string concatenations for clarity
+- Minor refactoring of parameter formatting without changing functionality
+
+## 2025-03-15 - 4.1.3 - fix(connectionhandler)
+Improve handling of TLS ClientHello messages when allowSessionTicket is disabled and no SNI is provided by sending a warning alert (unrecognized_name, code 0x70) with a proper callback and delay to ensure the alert is transmitted before closing the connection.
+
+- Replace the fatal alert (0x02/0x40) with a warning alert (0x01/0x70) to notify clients to send SNI.
+- Use socket.write callback to wait 100ms after sending the alert before terminating the connection.
+- Remove the previous short (50ms) delay in favor of a more reliable delay mechanism before cleanup.
+
+## 2025-03-15 - 4.1.2 - fix(connectionhandler)
+Send proper TLS alert before terminating connections when SNI is missing and session tickets are disallowed.
+
+- Added logic to transmit a fatal TLS alert (Handshake Failure) before closing the connection when no SNI is present with allowSessionTicket=false.
+- Introduced a slight 50ms delay after sending the alert to ensure the client receives the alert properly.
+- Applied these changes both for the initial ClientHello and when handling subsequent TLS data.
+
+## 2025-03-15 - 4.1.1 - fix(tls)
+Enforce strict SNI handling in TLS connections by terminating ClientHello messages lacking SNI when session tickets are disallowed and removing legacy session cache code.
+
+- In classes.pp.connectionhandler.ts, if allowSessionTicket is false and no SNI is extracted from a ClientHello, the connection is terminated to force a new handshake with SNI.
+- In classes.pp.snihandler.ts, removed session cache and related cleanup functions used for tab reactivation, simplifying SNI extraction logic.
+- Improved logging in TLS processing to aid in diagnosing handshake and session resumption issues.
+
+## 2025-03-14 - 4.1.0 - feat(SniHandler)
+Enhance SNI extraction to support session caching and tab reactivation by adding session cache initialization, cleanup and helper methods. Update processTlsPacket to use cached SNI for session resumption and connection racing scenarios.
+
+- Introduce initSessionCacheCleanup, cleanupSessionCache, createClientKey, cacheSession, and getCachedSession methods to manage SNI information.
+- Cache SNI based on client IP and client random to improve handling of fragmented ClientHello messages and tab reactivation.
+- Update processTlsPacket to leverage cached SNI when standard extraction fails, reducing redundant extraction and enhancing connection racing behavior.
+
+## 2025-03-14 - 4.0.0 - BREAKING CHANGE(core)
+refactor: reorganize internal module structure to use 'classes.pp.*' modules
+
+- Renamed port proxy and SNI handler source files to 'classes.pp.portproxy.js' and 'classes.pp.snihandler.js' respectively
+- Updated import paths in index.ts and test files (e.g. in test.ts and test.router.ts) to reference the new file names
+- This refactor improves code organization but breaks direct imports from the old paths
+
+- Renamed 'ts/classes.portproxy.ts' to 'ts/classes.pp.portproxy.ts'
+- Renamed 'ts/classes.snihandler.ts' to 'ts/classes.pp.snihandler.ts'
+- Updated exports in index.ts to export from 'classes.pp.portproxy.js' and 'classes.pp.snihandler.js'
+- Updated test files to import modules from new paths
+
+## 2025-03-12 - 3.41.8 - fix(portproxy)
+Improve TLS handshake timeout handling and connection piping in PortProxy
+
+- Increase the default initial handshake timeout from 60 seconds to 120 seconds
+- Add a 30-second grace period before terminating connections waiting for initial TLS data
+- Refactor piping logic by removing redundant callback and establishing piping immediately after flushing buffered data
+- Enhance debug logging during TLS ClientHello processing for improved SNI extraction insights
+
+## 2025-03-12 - 3.41.7 - fix(core)
+Refactor PortProxy and SniHandler: improve configuration handling, logging, and whitespace consistency
+
+- Standardized indentation and spacing for configuration properties in PortProxy settings (e.g. ACME options, keepAliveProbes, allowSessionTicket)
+- Simplified conditional formatting and improved inline comments in PortProxy
+- Enhanced logging messages in SniHandler for TLS handshake and session resumption detection
+- Improved debugging output (e.g. hexdump of initial TLS packet) and consistency of multi-line expressions
+
+## 2025-03-12 - 3.41.6 - fix(SniHandler)
+Refactor SniHandler: update whitespace, comment formatting, and consistent type definitions
+
+- Unified inline comment style and spacing in SniHandler
+- Refactored session cache type declaration for clarity
+- Adjusted buffer length calculations to include TLS record header consistently
+- Minor improvements to logging messages during ClientHello reassembly and SNI extraction
+
+## 2025-03-12 - 3.41.5 - fix(portproxy)
+Enforce TLS handshake and SNI validation on port 443 by blocking non-TLS connections and terminating session resumption attempts without SNI when allowSessionTicket is disabled.
+
+- Added explicit check to block non-TLS connections on port 443 to ensure proper TLS usage.
+- Enhanced logging for TLS ClientHello to include details on SNI extraction and session resumption status.
+- Terminate connections with missing SNI by setting termination reasons ('session_ticket_blocked' or 'no_sni_blocked').
+- Ensured consistent rejection of non-TLS handshakes on standard HTTPS port.
+
+## 2025-03-12 - 3.41.4 - fix(tls/sni)
+Improve logging for TLS session resumption by extracting and logging SNI values from ClientHello messages.
+
+- Added logging to output the extracted SNI value during renegotiation, initial ClientHello and in the SNI handler.
+- Enhanced error handling during SNI extraction to aid troubleshooting of TLS session resumption issues.
+
+## 2025-03-12 - 3.41.3 - fix(TLS/SNI)
+Improve TLS session resumption handling and logging. Now, session resumption attempts are always logged with details, and connections without a proper SNI are rejected when allowSessionTicket is disabled. In addition, empty SNI extensions are explicitly treated as missing, ensuring stricter and more consistent TLS handshake validation.
+
+- Always log session resumption in both renegotiation and initial ClientHello processing.
+- Terminate connections that attempt session resumption without SNI when allowSessionTicket is false.
+- Treat empty SNI extensions as absence of SNI to improve consistency in TLS handshake processing.
+
+## 2025-03-11 - 3.41.2 - fix(SniHandler)
+Refactor hasSessionResumption to return detailed session resumption info
+
+- Changed the return type of hasSessionResumption from boolean to an object with properties isResumption and hasSNI
+- Updated early return conditions to return { isResumption: false, hasSNI: false } when buffer is too short or invalid
+- Modified corresponding documentation to reflect the new return type
+
+## 2025-03-11 - 3.41.1 - fix(SniHandler)
+Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
+
+- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
+- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
+- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
+
+## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
+Add allowSessionTicket option to control TLS session ticket handling
+
+- Introduce 'allowSessionTicket' flag (default true) in PortProxy settings to enable or disable TLS session resumption via session tickets.
+- Update SniHandler with a new hasSessionResumption method to detect session ticket and PSK extensions in ClientHello messages.
+- Force connection cleanup during renegotiation and initial handshake when allowSessionTicket is set to false and a session ticket is detected.
+
+## 2025-03-11 - 3.40.0 - feat(SniHandler)
+Add session cache support and tab reactivation detection to improve SNI extraction in TLS handshakes
+
+- Introduce a session cache mechanism to store and retrieve cached SNI values based on client IP (and optionally client random) to better handle tab reactivation scenarios.
+- Implement functions to initialize, update, and clean up the session cache for TLS ClientHello messages.
+- Enhance SNI extraction logic to check for tab reactivation handshakes and to return cached SNI for resumed connections or 0-RTT scenarios.
+- Update PSK extension handling to safely skip over obfuscated ticket age bytes.
+
+## 2025-03-11 - 3.39.0 - feat(PortProxy)
+Add domain-specific NetworkProxy integration support to PortProxy
+
+- Introduced new properties 'useNetworkProxy' and 'networkProxyPort' in domain configurations.
+- Updated forwardToNetworkProxy to accept an optional custom proxy port parameter.
+- Enhanced TLS handshake processing to extract SNI and, if a matching domain config specifies NetworkProxy usage, forward the connection using the domain-specific port.
+- Refined connection routing logic to check for domain-specific NetworkProxy settings before falling back to default behavior.
+
+## 2025-03-11 - 3.38.2 - fix(core)
+No code changes detected; bumping patch version for consistency.
+
+
+## 2025-03-11 - 3.38.1 - fix(PortProxy)
+Improve SNI extraction handling in PortProxy by passing explicit connection info to extractSNIWithResumptionSupport for better TLS renegotiation and debug logging.
+
+- In the renegotiation handler, create and pass a connection info object (sourceIp, sourcePort, destIp, destPort) instead of a boolean flag.
+- Update the TLS handshake processing to construct a connection info object for detailed SNI extraction and logging.
+- Enhance consistency by using processTlsPacket with cached SNI hints during fallback.
+
+## 2025-03-11 - 3.38.0 - feat(SniHandler)
+Enhance SNI extraction to support fragmented ClientHello messages, TLS 1.3 early data, and improved PSK parsing
+
+- Added isTlsApplicationData method for detecting TLS application data packets
+- Implemented handleFragmentedClientHello to buffer and reassemble fragmented ClientHello messages
+- Extended extractSNIWithResumptionSupport to accept connection information and use reassembled data
+- Added detection for TLS 1.3 early data (0-RTT) in the ClientHello, supporting session resumption scenarios
+- Improved logging and heuristics for handling potential connection racing in modern browsers
+
+## 2025-03-11 - 3.37.3 - fix(snihandler)
+Enhance SNI extraction to support TLS 1.3 PSK-based session resumption by adding a dedicated extractSNIFromPSKExtension method and improved logging for session resumption indicators.
+
+- Defined TLS_PSK_EXTENSION_TYPE and TLS_PSK_KE_MODES_EXTENSION_TYPE constants.
+- Added extractSNIFromPSKExtension method to handle ClientHello messages containing PSK identities.
+- Improved logging to indicate when session resumption indicators (ticket or PSK) are present but no standard SNI is found.
+- Enhanced extractSNIWithResumptionSupport to attempt PSK extraction if standard SNI extraction fails.
+
+## 2025-03-11 - 3.37.2 - fix(PortProxy)
+Improve buffering and data handling during connection setup in PortProxy to prevent data loss
+
+- Added a safeDataHandler and processDataQueue to buffer incoming data reliably during the TLS handshake phase
+- Introduced a queue with pause/resume logic to avoid exceeding maxPendingDataSize and ensure all pending data is flushed before piping begins
+- Refactored the piping setup to install the renegotiation handler only after proper data flushing
+
+## 2025-03-11 - 3.37.1 - fix(PortProxy/SNI)
+Refactor SNI extraction in PortProxy to use the dedicated SniHandler class
+
+- Removed local SNI extraction and handshake detection functions from classes.portproxy.ts
+- Introduced a standalone SniHandler class in ts/classes.snihandler.ts for robust SNI extraction and improved logging
+- Replaced inlined calls to isTlsHandshake and extractSNI with calls to SniHandler methods
+- Ensured consistency in handling TLS ClientHello messages across the codebase
+
+## 2025-03-11 - 3.37.0 - feat(portproxy)
+Add ACME certificate management options to PortProxy, update ACME settings handling, and bump dependency versions
+
+- Bumped version in package.json from 3.34.0 to 3.36.0 and updated commitinfo accordingly
+- Updated dependencies: @push.rocks/tapbundle to ^5.5.10, @types/node to ^22.13.10, and @tsclass/tsclass to ^5.0.0
+- Added ACME certificate management configuration to PortProxy settings (acme options, updateAcmeSettings, requestCertificate)
+- Enhanced sync of domain configs to NetworkProxy with fallback for missing default certificates
+
+## 2025-03-11 - 3.34.0 - feat(core)
+Improve wildcard domain matching and enhance NetworkProxy integration in PortProxy. Added support for TLD wildcards and complex wildcard patterns in the router, and refactored TLS renegotiation handling for stricter SNI enforcement.
+
+- Added support for TLD wildcard matching (e.g., 'example.*') to improve domain routing.
+- Implemented complex wildcard pattern matching (e.g., '*.lossless*') in the router.
+- Enhanced NetworkProxy integration by initializing a single NetworkProxy instance and forwarding TLS connections accordingly.
+- Refactored TLS renegotiation handling to terminate connections on SNI mismatch for stricter enforcement.
+- Updated tests to cover the new wildcard matching scenarios.
+
+## 2025-03-11 - 3.33.0 - feat(portproxy)
+Add browser-friendly mode and SNI renegotiation configuration options to PortProxy
+
+- Introduce new properties: browserFriendlyMode (default true) to optimize handling for browser connections.
+- Add allowRenegotiationWithDifferentSNI (default false) to enable or disable SNI changes during renegotiation.
+- Include relatedDomainPatterns to define patterns for related domains that can share connections.
+- Update TypeScript interfaces and internal renegotiation logic to support these options.
+
+## 2025-03-11 - 3.32.2 - fix(PortProxy)
+Simplify TLS handshake SNI extraction and update timeout settings in PortProxy for improved maintainability and reliability.
+
+- Removed legacy and deprecated fields related to chained proxy configurations (isChainedProxy, chainPosition, aggressiveTlsRefresh).
+- Refactored the extractSNI functions to use a simpler, more robust approach for TLS ClientHello processing.
+- Adjusted default timeout and keep-alive settings to more standard values (e.g. initialDataTimeout set to 60s, socketTimeout to 1h).
+- Eliminated redundant TLS session cache and deep TLS refresh logic.
+- Improved logging and error handling during connection setup and renegotiation phases.
+
+## 2025-03-11 - 3.32.1 - fix(portproxy)
+Relax TLS handshake and connection timeout settings for improved stability in chained proxy scenarios; update TLS session cache defaults and add keep-alive flags to connection records.
+
+- Increased TLS session cache maximum entries from 10,000 to 20,000, expiry time from 24 hours to 7 days, and cleanup interval from 10 minutes to 30 minutes
+- Relaxed socket timeouts: standalone connections now use up to 6 hours, with chained proxies adjusted for 5–6 hours based on proxy position
+- Updated inactivity, connection, and initial handshake timeouts to provide a more relaxed behavior under high-traffic chained proxy scenarios
+- Increased keepAliveInitialDelay from 10 seconds to 30 seconds and introduced separate incoming and outgoing keep-alive flags
+- Enhanced TLS renegotiation handling with more detailed logging and temporary processing flags to avoid duplicate processing
+- Updated NetworkProxy integration to use optimized connection settings and more aggressive application-level keep-alive probes
+
+## 2025-03-11 - 3.32.0 - feat(PortProxy)
+Enhance TLS session cache, SNI extraction, and chained proxy support in PortProxy. Improve handling of multiple and fragmented TLS records, and add new configuration options (isChainedProxy, chainPosition, aggressiveTlsRefresh, tlsSessionCache) for robust TLS certificate refresh.
+
+- Implement TlsSessionCache with configurable cleanup, eviction, and statistics.
+- Improve extractSNIInfo to process multiple TLS records and partial handshake data.
+- Add new settings to detect chained proxy scenarios and adjust timeouts accordingly.
+- Enhance TLS state refresh with aggressive probing and deep refresh sequence.
+
+## 2025-03-11 - 3.31.2 - fix(PortProxy)
+Improve SNI renegotiation handling by adding flexible domain configuration matching on rehandshake and session resumption events.
+
+- When a rehandshake is detected with a changed SNI, first check existing domain config rules and log if allowed.
+- If the exact domain config is not found, additionally attempt flexible matching using parent domain and wildcard patterns.
+- For resumed sessions, try an exact match first and then use fallback logic to select a similar domain config based on matching target IP.
+- Enhanced logging added to help diagnose missing or mismatched domain configurations.
+
+## 2025-03-11 - 3.31.1 - fix(PortProxy)
+Improve TLS handshake buffering and enhance debug logging for SNI forwarding in PortProxy
+
+- Explicitly copy the initial TLS handshake data to prevent mutation before buffering
+- Log buffered TLS handshake data with SNI information for better diagnostics
+- Add detailed error logs on TLS connection failures, including server and domain config status
+- Output additional debug messages during ClientHello forwarding to verify proper TLS handshake processing
+
+## 2025-03-11 - 3.31.0 - feat(PortProxy)
+Improve TLS handshake SNI extraction and add session resumption tracking in PortProxy
+
+- Added ITlsSessionInfo interface and a global tlsSessionCache to track TLS session IDs for session resumption
+- Implemented a cleanup timer for the TLS session cache with startSessionCleanupTimer and stopSessionCleanupTimer
+- Enhanced extractSNIInfo to return detailed SNI information including session IDs, ticket details, and resumption status
+- Updated renegotiation handlers to use extractSNIInfo for proper SNI extraction during TLS rehandshake
+
+## 2025-03-11 - 3.30.8 - fix(core)
+No changes in this commit.
+
+
+## 2025-03-11 - 3.30.7 - fix(PortProxy)
+Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.
+
+- Added a preliminary check against the original domain config to allow re-handshakes if the new SNI matches allowed patterns.
+- If the original config does not allow, search for an alternative domain config and validate IP rules.
+- Update the locked domain when allowed, ensuring connection reuse with valid certificate context.
+- Terminate the connection if no suitable domain config is found or IP restrictions are violated.
+
+## 2025-03-11 - 3.30.6 - fix(PortProxy)
+Improve TLS renegotiation handling in PortProxy by validating the new SNI against allowed domain configurations. If the new SNI is permitted based on existing IP rules, update the locked domain to allow connection reuse; otherwise, terminate the connection to prevent misrouting.
+
+- Added logic to check if a new SNI during renegotiation is allowed by comparing IP rules from the matching domain configuration.
+- Updated detailed logging to indicate when a valid SNI change is accepted and when it results in a mismatch termination.
+
+## 2025-03-10 - 3.30.5 - fix(internal)
+No uncommitted changes detected; project files and tests remain unchanged.
+
+
+## 2025-03-10 - 3.30.4 - fix(PortProxy)
+Fix TLS renegotiation handling and adjust TLS keep-alive timeouts in PortProxy implementation
+
+- Allow TLS renegotiation data without an explicit SNI extraction to pass through, ensuring valid renegotiations are not dropped (critical for Chrome).
+- Update TLS keep-alive timeout from an aggressive 30 minutes to a more generous 4 hours to reduce unnecessary reconnections.
+- Increase inactivity thresholds for TLS connections from 20 minutes to 2 hours with an additional verification interval extended from 5 to 15 minutes.
+- Adjust long-lived TLS connection timeout from 45 minutes to 8 hours for improved certificate context refresh in chained proxy scenarios.
+
+## 2025-03-10 - 3.30.3 - fix(classes.portproxy.ts)
+Simplify timeout management in PortProxy and fix chained proxy certificate refresh issues
+
+- Reduced TLS keep-alive timeout from 8 hours to 30 minutes to ensure frequent certificate refresh
+- Added aggressive TLS state refresh after 20 minutes of inactivity and secondary verification checks
+- Lowered long-lived TLS connection lifetime from 12 hours to 45 minutes to prevent stale certificates
+- Removed configurable timeout settings from the public API in favor of hardcoded sensible defaults
+- Simplified internal timeout management to reduce code complexity and improve certificate handling in chained proxies
+
+## 2025-03-10 - 3.31.0 - fix(classes.portproxy.ts)
+Simplified timeout management and fixed certificate issues in chained proxy scenarios
+
+- Dramatically reduced TLS keep-alive timeout from 8 hours to 30 minutes to ensure fresh certificates
+- Added aggressive certificate refresh after 20 minutes of inactivity (down from 4 hours)
+- Added secondary verification checks for TLS refresh operations
+- Reduced long-lived TLS connection lifetime from 12 hours to 45 minutes
+- Removed configurable timeouts completely from the public API in favor of hardcoded sensible defaults
+- Simplified interface by removing no-longer-configurable settings while maintaining internal compatibility
+- Reduced overall code complexity by eliminating complex timeout management
+- Fixed chained proxy certificate issues by ensuring more frequent certificate refreshes in all deployment scenarios
+
+## 2025-03-10 - 3.30.2 - fix(classes.portproxy.ts)
+Adjust TLS keep-alive timeout to refresh certificate context.
+
+- Modified TLS keep-alive timeout for connections to 8 hours to refresh certificate context.
+- Updated timeout log messages for clarity on TLS certificate refresh.
+
+## 2025-03-10 - 3.30.1 - fix(PortProxy)
+Improve TLS keep-alive management and fix whitespace formatting
+
+- Implemented better handling for TLS keep-alive connections after sleep or long inactivity.
+- Reformatted whitespace for better readability and consistency.
+
+## 2025-03-08 - 3.30.0 - feat(PortProxy)
+Add advanced TLS keep-alive handling and system sleep detection
+
+- Implemented system sleep detection to maintain keep-alive connections.
+- Enhanced TLS keep-alive connections with extended timeout and sleep detection mechanisms.
+- Introduced automatic TLS state refresh after system wake-up to prevent connection drops.
+
+## 2025-03-07 - 3.29.3 - fix(core)
+Fix functional errors in the proxy setup and enhance pnpm configuration
+
+- Corrected pnpm configuration to include specific dependencies as 'onlyBuiltDependencies'.
+
+## 2025-03-07 - 3.29.2 - fix(PortProxy)
+Fix test for PortProxy handling of custom IPs in Docker/CI environments.
+
+- Ensure compatibility with Docker/CI environments by standardizing on 127.0.0.1 for test server setup.
+- Simplify test configuration by using a unique port rather than different IPs.
+
+## 2025-03-07 - 3.29.1 - fix(readme)
+Update readme for IPTablesProxy options
+
+- Add comprehensive examples for IPTablesProxy usage.
+- Expand IPTablesProxy settings with IPv6, logging, and advanced features.
+- Clarify option defaults and descriptions for IPTablesProxy.
+- Enhance 'Troubleshooting' section with IPTables tips.
+
+## 2025-03-07 - 3.29.0 - feat(IPTablesProxy)
+Enhanced IPTablesProxy with multi-port and IPv6 support
+
+- Added support for specifying multiple ports and port ranges, allowing for more complex network proxy configurations.
+- Introduced IPv6 support to allow handling of IPv6 addressed networks.
+- Implemented more detailed logging and error handling features to improve debugging capabilities.
+- Enhanced integration options with NetworkProxy, allowing for a more seamless routing and termination process.
+- Restructured the initialization and validation process to ensure robust handling of configuration settings.
+
 ## 2025-03-07 - 3.28.6 - fix(PortProxy)
 Adjust default timeout settings and enhance keep-alive connection handling in PortProxy.
 

package.json

@@ -1,8 +1,8 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.28.6",
+  "version": "4.1.10",
   "private": false,
-  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
+  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
   "typings": "dist_ts/index.d.ts",
   "type": "module",
@@ -18,8 +18,8 @@
     "@git.zone/tsbuild": "^2.2.6",
     "@git.zone/tsrun": "^1.2.44",
     "@git.zone/tstest": "^1.0.77",
-    "@push.rocks/tapbundle": "^5.5.6",
-    "@types/node": "^22.13.9",
+    "@push.rocks/tapbundle": "^5.5.10",
+    "@types/node": "^22.13.10",
     "typescript": "^5.8.2"
   },
   "dependencies": {
@@ -28,7 +28,7 @@
     "@push.rocks/smartpromise": "^4.2.3",
     "@push.rocks/smartrequest": "^2.0.23",
     "@push.rocks/smartstring": "^4.0.15",
-    "@tsclass/tsclass": "^4.4.0",
+    "@tsclass/tsclass": "^5.0.0",
     "@types/minimatch": "^5.1.2",
     "@types/ws": "^8.18.0",
     "acme-client": "^5.4.0",
@@ -77,6 +77,11 @@
     "url": "https://code.foss.global/push.rocks/smartproxy/issues"
   },
   "pnpm": {
-    "overrides": {}
+    "overrides": {},
+    "onlyBuiltDependencies": [
+      "esbuild",
+      "mongodb-memory-server",
+      "puppeteer"
+    ]
   }
 }

readme.md

@@ -320,8 +320,8 @@ portProxy.start();
 ```typescript
 import { IPTablesProxy } from '@push.rocks/smartproxy';
 
-// Configure IPTables to forward from port 80 to 8080
-const iptables = new IPTablesProxy({
+// Basic usage - forward single port
+const basicProxy = new IPTablesProxy({
   fromPort: 80,
   toPort: 8080,
   toHost: 'localhost',
@@ -329,7 +329,38 @@ const iptables = new IPTablesProxy({
   deleteOnExit: true  // Automatically clean up rules on process exit
 });
 
-iptables.start();
+// Forward port ranges
+const rangeProxy = new IPTablesProxy({
+  fromPort: { from: 3000, to: 3010 },  // Forward ports 3000-3010
+  toPort: { from: 8000, to: 8010 },    // To ports 8000-8010
+  protocol: 'tcp',                     // TCP protocol (default)
+  ipv6Support: true,                   // Enable IPv6 support
+  enableLogging: true                  // Enable detailed logging
+});
+
+// Multiple port specifications with IP filtering
+const advancedProxy = new IPTablesProxy({
+  fromPort: [80, 443, { from: 8000, to: 8010 }],  // Multiple ports/ranges
+  toPort: [8080, 8443, { from: 18000, to: 18010 }],
+  allowedSourceIPs: ['10.0.0.0/8', '192.168.1.0/24'],  // Only allow these IPs
+  bannedSourceIPs: ['192.168.1.100'],                 // Explicitly block these IPs
+  addJumpRule: true,                                  // Use custom chain for better management
+  checkExistingRules: true                           // Check for duplicate rules
+});
+
+// NetworkProxy integration for SSL termination
+const sslProxy = new IPTablesProxy({
+  fromPort: 443,
+  toPort: 8443,
+  netProxyIntegration: {
+    enabled: true,
+    redirectLocalhost: true,           // Redirect localhost traffic to NetworkProxy
+    sslTerminationPort: 8443           // Port where NetworkProxy handles SSL
+  }
+});
+
+// Start any of the proxies
+await basicProxy.start();
 ```
 
 ### Automatic HTTPS Certificate Management
@@ -383,13 +414,30 @@ acmeHandler.addDomain('api.example.com');
 
 ### IPTablesProxy Settings
 
-| Option            | Description                                 | Default     |
-|-------------------|---------------------------------------------|-------------|
-| `fromPort`        | Source port to forward from                 | -           |
-| `toPort`          | Destination port to forward to              | -           |
-| `toHost`          | Destination host to forward to              | 'localhost' |
-| `preserveSourceIP`| Preserve the original client IP             | false       |
-| `deleteOnExit`    | Remove iptables rules when process exits    | false       |
+| Option                | Description                                       | Default     |
+|-----------------------|---------------------------------------------------|-------------|
+| `fromPort`            | Source port(s) or range(s) to forward from        | -           |
+| `toPort`              | Destination port(s) or range(s) to forward to     | -           |
+| `toHost`              | Destination host to forward to                    | 'localhost' |
+| `preserveSourceIP`    | Preserve the original client IP                   | false       |
+| `deleteOnExit`        | Remove iptables rules when process exits          | false       |
+| `protocol`            | Protocol to forward ('tcp', 'udp', or 'all')      | 'tcp'       |
+| `enableLogging`       | Enable detailed logging                           | false       |
+| `ipv6Support`         | Enable IPv6 support with ip6tables                | false       |
+| `allowedSourceIPs`    | Array of IP addresses/CIDR allowed to connect     | -           |
+| `bannedSourceIPs`     | Array of IP addresses/CIDR blocked from connecting | -           |
+| `forceCleanSlate`     | Clear all IPTablesProxy rules before starting     | false       |
+| `addJumpRule`         | Add a custom chain for cleaner rule management    | false       |
+| `checkExistingRules`  | Check if rules already exist before adding        | true        |
+| `netProxyIntegration` | NetworkProxy integration options (object)         | -           |
+
+#### IPTablesProxy NetworkProxy Integration Options
+
+| Option               | Description                                       | Default |
+|----------------------|---------------------------------------------------|---------|
+| `enabled`            | Enable NetworkProxy integration                   | false   |
+| `redirectLocalhost`  | Redirect localhost traffic to NetworkProxy        | false   |
+| `sslTerminationPort` | Port where NetworkProxy handles SSL termination   | -       |
 
 ## Advanced Features
 
@@ -442,6 +490,18 @@ The `PortProxy` class can inspect the SNI (Server Name Indication) field in TLS
 - Domain-specific allowed IP ranges
 - Protection against SNI renegotiation attacks
 
+### Enhanced IPTables Management
+
+The improved `IPTablesProxy` class offers advanced capabilities:
+
+- Support for multiple port ranges and individual ports
+- IPv6 support with ip6tables
+- Source IP filtering with allow/block lists
+- Custom chain creation for better rule organization
+- NetworkProxy integration for SSL termination
+- Automatic rule existence checking to prevent duplicates
+- Comprehensive cleanup on shutdown
+
 ## Troubleshooting
 
 ### Browser Certificate Errors
@@ -475,6 +535,16 @@ For improved connection stability in high-traffic environments:
 4. **Monitor Connection Statistics**: Enable detailed logging to track termination reasons
 5. **Fine-tune Inactivity Checks**: Adjust `inactivityCheckInterval` based on your traffic patterns
 
+### IPTables Troubleshooting
+
+If you're experiencing issues with IPTablesProxy:
+
+1. **Enable Detailed Logging**: Set `enableLogging: true` to see all rule operations
+2. **Force Clean Slate**: Use `forceCleanSlate: true` to remove any lingering rules
+3. **Use Custom Chains**: Enable `addJumpRule: true` for cleaner rule management
+4. **Check Permissions**: Ensure your process has sufficient permissions to modify iptables
+5. **Verify IPv6 Support**: If using `ipv6Support: true`, ensure ip6tables is available
+
 ## License and Legal Information
 
 This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. 

test/test.portproxy.ts

@@ -1,6 +1,6 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import * as net from 'net';
-import { PortProxy } from '../ts/classes.portproxy.js';
+import { PortProxy } from '../ts/classes.pp.portproxy.js';
 
 let testServer: net.Server;
 let portProxy: PortProxy;
@@ -113,20 +113,21 @@ tap.test('should forward TCP connections to custom host', async () => {
 });
 
 // Test custom IP forwarding
-// SIMPLIFIED: This version avoids port ranges and domain configs to prevent loops
+// Modified to work in Docker/CI environments without needing 127.0.0.2
 tap.test('should forward connections to custom IP', async () => {
   // Set up ports that are FAR apart to avoid any possible confusion
-  const forcedProxyPort = PROXY_PORT + 2;  // 4003 - The port that our proxy listens on
-  const targetServerPort = TEST_SERVER_PORT + 200;  // 4200 - Target test server on another IP
+  const forcedProxyPort = PROXY_PORT + 2;      // 4003 - The port that our proxy listens on
+  const targetServerPort = TEST_SERVER_PORT + 200;  // 4200 - Target test server on different port
   
-  // Create a test server listening on 127.0.0.2:4200
-  const testServer2 = await createTestServer(targetServerPort, '127.0.0.2');
+  // Create a test server listening on a unique port on 127.0.0.1 (works in all environments)
+  const testServer2 = await createTestServer(targetServerPort, '127.0.0.1');
 
-  // Simplify the test drastically - use ONE proxy with very explicit configuration
+  // We're simulating routing to a different IP by using a different port
+  // This tests the core functionality without requiring multiple IPs
   const domainProxy = new PortProxy({
     fromPort: forcedProxyPort,  // 4003 - Listen on this port
-    toPort: targetServerPort,   // 4200 - Default forwarding port - MUST BE DIFFERENT from fromPort
-    targetIP: '127.0.0.2',      // Forward to IP where test server is
+    toPort: targetServerPort,   // 4200 - Forward to this port
+    targetIP: '127.0.0.1',      // Always use localhost (works in Docker)
     domainConfigs: [],          // No domain configs to confuse things
     sniEnabled: false,
     defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'], // Allow localhost
@@ -298,8 +299,8 @@ tap.test('should use round robin for multiple target IPs in domain config', asyn
   
   // Don't track this proxy as it doesn't actually start or listen
   
-  const firstTarget = (proxyInstance as any).getTargetIP(domainConfig);
-  const secondTarget = (proxyInstance as any).getTargetIP(domainConfig);
+  const firstTarget = proxyInstance.domainConfigManager.getTargetIP(domainConfig);
+  const secondTarget = proxyInstance.domainConfigManager.getTargetIP(domainConfig);
   expect(firstTarget).toEqual('hostA');
   expect(secondTarget).toEqual('hostB');
 });

test/test.router.ts

@@ -197,6 +197,52 @@ tap.test('should match wildcard subdomains', async () => {
   expect(result).toEqual(wildcardConfig);
 });
 
+// Test TLD wildcards (example.*)
+tap.test('should match TLD wildcards', async () => {
+  const tldWildcardConfig = createProxyConfig('example.*');
+  router.setNewProxyConfigs([tldWildcardConfig]);
+  
+  // Test that example.com matches example.*
+  const req1 = createMockRequest('example.com');
+  const result1 = router.routeReq(req1);
+  expect(result1).toBeTruthy();
+  expect(result1).toEqual(tldWildcardConfig);
+  
+  // Test that example.org matches example.*
+  const req2 = createMockRequest('example.org');
+  const result2 = router.routeReq(req2);
+  expect(result2).toBeTruthy();
+  expect(result2).toEqual(tldWildcardConfig);
+  
+  // Test that subdomain.example.com doesn't match example.*
+  const req3 = createMockRequest('subdomain.example.com');
+  const result3 = router.routeReq(req3);
+  expect(result3).toBeUndefined();
+});
+
+// Test complex pattern matching (*.lossless*)
+tap.test('should match complex wildcard patterns', async () => {
+  const complexWildcardConfig = createProxyConfig('*.lossless*');
+  router.setNewProxyConfigs([complexWildcardConfig]);
+  
+  // Test that sub.lossless.com matches *.lossless*
+  const req1 = createMockRequest('sub.lossless.com');
+  const result1 = router.routeReq(req1);
+  expect(result1).toBeTruthy();
+  expect(result1).toEqual(complexWildcardConfig);
+  
+  // Test that api.lossless.org matches *.lossless*
+  const req2 = createMockRequest('api.lossless.org');
+  const result2 = router.routeReq(req2);
+  expect(result2).toBeTruthy();
+  expect(result2).toEqual(complexWildcardConfig);
+  
+  // Test that losslessapi.com matches *.lossless*
+  const req3 = createMockRequest('losslessapi.com');
+  const result3 = router.routeReq(req3);
+  expect(result3).toBeUndefined(); // Should not match as it doesn't have a subdomain
+});
+
 // Test default configuration fallback
 tap.test('should fall back to default configuration', async () => {
   const defaultConfig = createProxyConfig('*');

test/test.ts

@@ -226,8 +226,8 @@ tap.test('should start the proxy server', async () => {
   // Awaiting the update ensures that the SNI context is added before any requests come in.
   await testProxy.updateProxyConfigs([
     {
-      destinationIp: '127.0.0.1',
-      destinationPort: '3000',
+      destinationIps: ['127.0.0.1'],
+      destinationPorts: [3000],
       hostName: 'push.rocks',
       publicKey: testCertificates.publicKey,
       privateKey: testCertificates.privateKey,
@@ -280,8 +280,8 @@ tap.test('should support WebSocket connections', async () => {
   // Reconfigure proxy with test certificates if necessary
   await testProxy.updateProxyConfigs([
     {
-      destinationIp: '127.0.0.1',
-      destinationPort: '3000',
+      destinationIps: ['127.0.0.1'],
+      destinationPorts: [3000],
       hostName: 'push.rocks',
       publicKey: testCertificates.publicKey,
       privateKey: testCertificates.privateKey,

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.28.6',
-  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
+  version: '4.1.10',
+  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

ts/classes.iptablesproxy.ts

@@ -3,43 +3,100 @@ import { promisify } from 'util';
 
 const execAsync = promisify(exec);
 
+/**
+ * Represents a port range for forwarding
+ */
+export interface IPortRange {
+  from: number;
+  to: number;
+}
+
 /**
  * Settings for IPTablesProxy.
  */
 export interface IIpTableProxySettings {
-  fromPort: number;
-  toPort: number;
+  // Basic settings
+  fromPort: number | IPortRange | Array<number | IPortRange>; // Support single port, port range, or multiple ports/ranges
+  toPort: number | IPortRange | Array<number | IPortRange>;
   toHost?: string; // Target host for proxying; defaults to 'localhost'
-  preserveSourceIP?: boolean; // If true, the original source IP is preserved.
-  deleteOnExit?: boolean;   // If true, clean up marked iptables rules before process exit.
+  
+  // Advanced settings
+  preserveSourceIP?: boolean; // If true, the original source IP is preserved
+  deleteOnExit?: boolean;     // If true, clean up marked iptables rules before process exit
+  protocol?: 'tcp' | 'udp' | 'all'; // Protocol to forward, defaults to 'tcp'
+  enableLogging?: boolean;    // Enable detailed logging
+  ipv6Support?: boolean;      // Enable IPv6 support (ip6tables)
+  
+  // Source filtering
+  allowedSourceIPs?: string[]; // If provided, only these IPs are allowed
+  bannedSourceIPs?: string[];  // If provided, these IPs are blocked
+  
+  // Rule management
+  forceCleanSlate?: boolean;   // Clear all IPTablesProxy rules before starting
+  addJumpRule?: boolean;       // Add a custom chain for cleaner rule management
+  checkExistingRules?: boolean; // Check if rules already exist before adding
+  
+  // Integration with PortProxy/NetworkProxy
+  netProxyIntegration?: {
+    enabled: boolean;
+    redirectLocalhost?: boolean; // Redirect localhost traffic to NetworkProxy
+    sslTerminationPort?: number; // Port where NetworkProxy handles SSL termination
+  };
+}
+
+/**
+ * Represents a rule added to iptables
+ */
+interface IpTablesRule {
+  table: string;
+  chain: string;
+  command: string;
+  tag: string;
+  added: boolean;
 }
 
 /**
  * IPTablesProxy sets up iptables NAT rules to forward TCP traffic.
- * It only supports basic port forwarding and uses iptables comments to tag rules.
+ * Enhanced with multi-port support, IPv6, and integration with PortProxy/NetworkProxy.
  */
 export class IPTablesProxy {
   public settings: IIpTableProxySettings;
-  private rulesInstalled: boolean = false;
+  private rules: IpTablesRule[] = [];
   private ruleTag: string;
+  private customChain: string | null = null;
 
   constructor(settings: IIpTableProxySettings) {
+    // Validate inputs to prevent command injection
+    this.validateSettings(settings);
+    
+    // Set default settings
     this.settings = {
       ...settings,
       toHost: settings.toHost || 'localhost',
+      protocol: settings.protocol || 'tcp',
+      enableLogging: settings.enableLogging !== undefined ? settings.enableLogging : false,
+      ipv6Support: settings.ipv6Support !== undefined ? settings.ipv6Support : false,
+      checkExistingRules: settings.checkExistingRules !== undefined ? settings.checkExistingRules : true,
+      netProxyIntegration: settings.netProxyIntegration || { enabled: false }
     };
-    // Generate a unique identifier for the rules added by this instance.
+    
+    // Generate a unique identifier for the rules added by this instance
     this.ruleTag = `IPTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`;
+    
+    if (this.settings.addJumpRule) {
+      this.customChain = `IPTablesProxy_${Math.random().toString(36).substr(2, 5)}`;
+    }
 
-    // If deleteOnExit is true, register cleanup handlers.
+    // Register cleanup handlers if deleteOnExit is true
     if (this.settings.deleteOnExit) {
       const cleanup = () => {
         try {
-          IPTablesProxy.cleanSlateSync();
+          this.stopSync();
         } catch (err) {
           console.error('Error cleaning iptables rules on exit:', err);
         }
       };
+      
       process.on('exit', cleanup);
       process.on('SIGINT', () => {
         cleanup();
@@ -53,76 +110,591 @@ export class IPTablesProxy {
   }
 
   /**
-   * Sets up iptables rules for port forwarding.
-   * The rules are tagged with a unique comment so that they can be identified later.
+   * Validates settings to prevent command injection and ensure valid values
    */
-  public async start(): Promise<void> {
-    const dnatCmd = `iptables -t nat -A PREROUTING -p tcp --dport ${this.settings.fromPort} ` +
-      `-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
-      `-m comment --comment "${this.ruleTag}:DNAT"`;
-    try {
-      await execAsync(dnatCmd);
-      console.log(`Added iptables rule: ${dnatCmd}`);
-      this.rulesInstalled = true;
-    } catch (err) {
-      console.error(`Failed to add iptables DNAT rule: ${err}`);
-      throw err;
-    }
-
-    // If preserveSourceIP is false, add a MASQUERADE rule.
-    if (!this.settings.preserveSourceIP) {
-      const masqueradeCmd = `iptables -t nat -A POSTROUTING -p tcp -d ${this.settings.toHost} ` +
-        `--dport ${this.settings.toPort} -j MASQUERADE ` +
-        `-m comment --comment "${this.ruleTag}:MASQ"`;
-      try {
-        await execAsync(masqueradeCmd);
-        console.log(`Added iptables rule: ${masqueradeCmd}`);
-      } catch (err) {
-        console.error(`Failed to add iptables MASQUERADE rule: ${err}`);
-        // Roll back the DNAT rule if MASQUERADE fails.
-        try {
-          const rollbackCmd = `iptables -t nat -D PREROUTING -p tcp --dport ${this.settings.fromPort} ` +
-            `-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
-            `-m comment --comment "${this.ruleTag}:DNAT"`;
-          await execAsync(rollbackCmd);
-          this.rulesInstalled = false;
-        } catch (rollbackErr) {
-          console.error(`Rollback failed: ${rollbackErr}`);
+  private validateSettings(settings: IIpTableProxySettings): void {
+    // Validate port numbers
+    const validatePorts = (port: number | IPortRange | Array<number | IPortRange>) => {
+      if (Array.isArray(port)) {
+        port.forEach(p => validatePorts(p));
+        return;
+      }
+      
+      if (typeof port === 'number') {
+        if (port < 1 || port > 65535) {
+          throw new Error(`Invalid port number: ${port}`);
+        }
+      } else if (typeof port === 'object') {
+        if (port.from < 1 || port.from > 65535 || port.to < 1 || port.to > 65535 || port.from > port.to) {
+          throw new Error(`Invalid port range: ${port.from}-${port.to}`);
+        }
+      }
+    };
+    
+    validatePorts(settings.fromPort);
+    validatePorts(settings.toPort);
+    
+    // Define regex patterns at the method level so they're available throughout
+    const ipRegex = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/;
+    const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/;
+    
+    // Validate IP addresses
+    const validateIPs = (ips?: string[]) => {
+      if (!ips) return;
+      
+      for (const ip of ips) {
+        if (!ipRegex.test(ip) && !ipv6Regex.test(ip)) {
+          throw new Error(`Invalid IP address format: ${ip}`);
+        }
+      }
+    };
+    
+    validateIPs(settings.allowedSourceIPs);
+    validateIPs(settings.bannedSourceIPs);
+    
+    // Validate toHost - only allow hostnames or IPs
+    if (settings.toHost) {
+      const hostRegex = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/;
+      if (!hostRegex.test(settings.toHost) && !ipRegex.test(settings.toHost) && !ipv6Regex.test(settings.toHost)) {
+        throw new Error(`Invalid host format: ${settings.toHost}`);
+      }
+    }
+  }
+  
+  /**
+   * Normalizes port specifications into an array of port ranges
+   */
+  private normalizePortSpec(portSpec: number | IPortRange | Array<number | IPortRange>): IPortRange[] {
+    const result: IPortRange[] = [];
+    
+    if (Array.isArray(portSpec)) {
+      // If it's an array, process each element
+      for (const spec of portSpec) {
+        result.push(...this.normalizePortSpec(spec));
+      }
+    } else if (typeof portSpec === 'number') {
+      // Single port becomes a range with the same start and end
+      result.push({ from: portSpec, to: portSpec });
+    } else {
+      // Already a range
+      result.push(portSpec);
+    }
+    
+    return result;
+  }
+
+  /**
+   * Gets the appropriate iptables command based on settings
+   */
+  private getIptablesCommand(isIpv6: boolean = false): string {
+    return isIpv6 ? 'ip6tables' : 'iptables';
+  }
+
+  /**
+   * Checks if a rule already exists in iptables
+   */
+  private async ruleExists(table: string, command: string, isIpv6: boolean = false): Promise<boolean> {
+    try {
+      const iptablesCmd = this.getIptablesCommand(isIpv6);
+      const { stdout } = await execAsync(`${iptablesCmd}-save -t ${table}`);
+      // Convert the command to the format found in iptables-save output
+      // (This is a simplification - in reality, you'd need more parsing)
+      const rulePattern = command.replace(`${iptablesCmd} -t ${table} -A `, '-A ');
+      return stdout.split('\n').some(line => line.trim() === rulePattern);
+    } catch (err) {
+      this.log('error', `Failed to check if rule exists: ${err}`);
+      return false;
+    }
+  }
+
+  /**
+   * Sets up a custom chain for better rule management
+   */
+  private async setupCustomChain(isIpv6: boolean = false): Promise<boolean> {
+    if (!this.customChain) return true;
+    
+    const iptablesCmd = this.getIptablesCommand(isIpv6);
+    const table = 'nat';
+    
+    try {
+      // Create the chain
+      await execAsync(`${iptablesCmd} -t ${table} -N ${this.customChain}`);
+      this.log('info', `Created custom chain: ${this.customChain}`);
+      
+      // Add jump rule to PREROUTING chain
+      const jumpCommand = `${iptablesCmd} -t ${table} -A PREROUTING -j ${this.customChain} -m comment --comment "${this.ruleTag}:JUMP"`;
+      await execAsync(jumpCommand);
+      this.log('info', `Added jump rule to ${this.customChain}`);
+      
+      // Store the jump rule
+      this.rules.push({
+        table,
+        chain: 'PREROUTING',
+        command: jumpCommand,
+        tag: `${this.ruleTag}:JUMP`,
+        added: true
+      });
+      
+      return true;
+    } catch (err) {
+      this.log('error', `Failed to set up custom chain: ${err}`);
+      return false;
+    }
+  }
+
+  /**
+   * Add a source IP filter rule
+   */
+  private async addSourceIPFilter(isIpv6: boolean = false): Promise<boolean> {
+    if (!this.settings.allowedSourceIPs && !this.settings.bannedSourceIPs) {
+      return true;
+    }
+    
+    const iptablesCmd = this.getIptablesCommand(isIpv6);
+    const table = 'nat';
+    const chain = this.customChain || 'PREROUTING';
+    
+    try {
+      // Add banned IPs first (explicit deny)
+      if (this.settings.bannedSourceIPs && this.settings.bannedSourceIPs.length > 0) {
+        for (const ip of this.settings.bannedSourceIPs) {
+          const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -j DROP -m comment --comment "${this.ruleTag}:BANNED"`;
+          
+          // Check if rule already exists
+          if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
+            this.log('info', `Rule already exists, skipping: ${command}`);
+            continue;
+          }
+          
+          await execAsync(command);
+          this.log('info', `Added banned IP rule: ${command}`);
+          
+          this.rules.push({
+            table,
+            chain,
+            command,
+            tag: `${this.ruleTag}:BANNED`,
+            added: true
+          });
+        }
+      }
+      
+      // Add allowed IPs (explicit allow)
+      if (this.settings.allowedSourceIPs && this.settings.allowedSourceIPs.length > 0) {
+        // First add a default deny for all
+        const denyAllCommand = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} -j DROP -m comment --comment "${this.ruleTag}:DENY_ALL"`;
+        
+        // Add allow rules for specific IPs
+        for (const ip of this.settings.allowedSourceIPs) {
+          const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -p ${this.settings.protocol} -j ACCEPT -m comment --comment "${this.ruleTag}:ALLOWED"`;
+          
+          // Check if rule already exists
+          if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
+            this.log('info', `Rule already exists, skipping: ${command}`);
+            continue;
+          }
+          
+          await execAsync(command);
+          this.log('info', `Added allowed IP rule: ${command}`);
+          
+          this.rules.push({
+            table,
+            chain,
+            command,
+            tag: `${this.ruleTag}:ALLOWED`,
+            added: true
+          });
+        }
+        
+        // Now add the default deny after all allows
+        if (this.settings.checkExistingRules && await this.ruleExists(table, denyAllCommand, isIpv6)) {
+          this.log('info', `Rule already exists, skipping: ${denyAllCommand}`);
+        } else {
+          await execAsync(denyAllCommand);
+          this.log('info', `Added default deny rule: ${denyAllCommand}`);
+          
+          this.rules.push({
+            table,
+            chain,
+            command: denyAllCommand,
+            tag: `${this.ruleTag}:DENY_ALL`,
+            added: true
+          });
+        }
+      }
+      
+      return true;
+    } catch (err) {
+      this.log('error', `Failed to add source IP filter rules: ${err}`);
+      return false;
+    }
+  }
+
+  /**
+   * Adds a port forwarding rule
+   */
+  private async addPortForwardingRule(
+    fromPortRange: IPortRange,
+    toPortRange: IPortRange,
+    isIpv6: boolean = false
+  ): Promise<boolean> {
+    const iptablesCmd = this.getIptablesCommand(isIpv6);
+    const table = 'nat';
+    const chain = this.customChain || 'PREROUTING';
+    
+    try {
+      // Handle single port case
+      if (fromPortRange.from === fromPortRange.to && toPortRange.from === toPortRange.to) {
+        // Single port forward
+        const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from} ` +
+          `-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from} ` +
+          `-m comment --comment "${this.ruleTag}:DNAT"`;
+        
+        // Check if rule already exists
+        if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
+          this.log('info', `Rule already exists, skipping: ${command}`);
+        } else {
+          await execAsync(command);
+          this.log('info', `Added port forwarding rule: ${command}`);
+          
+          this.rules.push({
+            table,
+            chain,
+            command,
+            tag: `${this.ruleTag}:DNAT`,
+            added: true
+          });
+        }
+      } else if (fromPortRange.to - fromPortRange.from === toPortRange.to - toPortRange.from) {
+        // Port range forward with equal ranges
+        const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from}:${fromPortRange.to} ` +
+          `-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from}-${toPortRange.to} ` +
+          `-m comment --comment "${this.ruleTag}:DNAT_RANGE"`;
+        
+        // Check if rule already exists
+        if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
+          this.log('info', `Rule already exists, skipping: ${command}`);
+        } else {
+          await execAsync(command);
+          this.log('info', `Added port range forwarding rule: ${command}`);
+          
+          this.rules.push({
+            table,
+            chain,
+            command,
+            tag: `${this.ruleTag}:DNAT_RANGE`,
+            added: true
+          });
+        }
+      } else {
+        // Unequal port ranges need individual rules
+        for (let i = 0; i <= fromPortRange.to - fromPortRange.from; i++) {
+          const fromPort = fromPortRange.from + i;
+          const toPort = toPortRange.from + i % (toPortRange.to - toPortRange.from + 1);
+          
+          const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPort} ` +
+            `-j DNAT --to-destination ${this.settings.toHost}:${toPort} ` +
+            `-m comment --comment "${this.ruleTag}:DNAT_INDIVIDUAL"`;
+          
+          // Check if rule already exists
+          if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
+            this.log('info', `Rule already exists, skipping: ${command}`);
+            continue;
+          }
+          
+          await execAsync(command);
+          this.log('info', `Added individual port forwarding rule: ${command}`);
+          
+          this.rules.push({
+            table,
+            chain,
+            command,
+            tag: `${this.ruleTag}:DNAT_INDIVIDUAL`,
+            added: true
+          });
+        }
+      }
+      
+      // If preserveSourceIP is false, add a MASQUERADE rule
+      if (!this.settings.preserveSourceIP) {
+        // For port range
+        const masqCommand = `${iptablesCmd} -t nat -A POSTROUTING -p ${this.settings.protocol} -d ${this.settings.toHost} ` +
+          `--dport ${toPortRange.from}:${toPortRange.to} -j MASQUERADE ` +
+          `-m comment --comment "${this.ruleTag}:MASQ"`;
+        
+        // Check if rule already exists
+        if (this.settings.checkExistingRules && await this.ruleExists('nat', masqCommand, isIpv6)) {
+          this.log('info', `Rule already exists, skipping: ${masqCommand}`);
+        } else {
+          await execAsync(masqCommand);
+          this.log('info', `Added MASQUERADE rule: ${masqCommand}`);
+          
+          this.rules.push({
+            table: 'nat',
+            chain: 'POSTROUTING',
+            command: masqCommand,
+            tag: `${this.ruleTag}:MASQ`,
+            added: true
+          });
+        }
+      }
+      
+      return true;
+    } catch (err) {
+      this.log('error', `Failed to add port forwarding rule: ${err}`);
+      
+      // Try to roll back any rules that were already added
+      await this.rollbackRules();
+      
+      return false;
+    }
+  }
+
+  /**
+   * Special handling for NetworkProxy integration
+   */
+  private async setupNetworkProxyIntegration(isIpv6: boolean = false): Promise<boolean> {
+    if (!this.settings.netProxyIntegration?.enabled) {
+      return true;
+    }
+    
+    const netProxyConfig = this.settings.netProxyIntegration;
+    const iptablesCmd = this.getIptablesCommand(isIpv6);
+    const table = 'nat';
+    const chain = this.customChain || 'PREROUTING';
+    
+    try {
+      // If redirectLocalhost is true, set up special rule to redirect localhost traffic to NetworkProxy
+      if (netProxyConfig.redirectLocalhost && netProxyConfig.sslTerminationPort) {
+        const redirectCommand = `${iptablesCmd} -t ${table} -A OUTPUT -p tcp -d 127.0.0.1 -j REDIRECT ` +
+          `--to-port ${netProxyConfig.sslTerminationPort} ` +
+          `-m comment --comment "${this.ruleTag}:NETPROXY_REDIRECT"`;
+        
+        // Check if rule already exists
+        if (this.settings.checkExistingRules && await this.ruleExists(table, redirectCommand, isIpv6)) {
+          this.log('info', `Rule already exists, skipping: ${redirectCommand}`);
+        } else {
+          await execAsync(redirectCommand);
+          this.log('info', `Added NetworkProxy redirection rule: ${redirectCommand}`);
+          
+          this.rules.push({
+            table,
+            chain: 'OUTPUT',
+            command: redirectCommand,
+            tag: `${this.ruleTag}:NETPROXY_REDIRECT`,
+            added: true
+          });
+        }
+      }
+      
+      return true;
+    } catch (err) {
+      this.log('error', `Failed to set up NetworkProxy integration: ${err}`);
+      return false;
+    }
+  }
+
+  /**
+   * Rolls back rules that were added in case of error
+   */
+  private async rollbackRules(): Promise<void> {
+    // Process rules in reverse order (LIFO)
+    for (let i = this.rules.length - 1; i >= 0; i--) {
+      const rule = this.rules[i];
+      
+      if (rule.added) {
+        try {
+          // Convert -A (add) to -D (delete)
+          const deleteCommand = rule.command.replace('-A', '-D');
+          await execAsync(deleteCommand);
+          this.log('info', `Rolled back rule: ${deleteCommand}`);
+          
+          rule.added = false;
+        } catch (err) {
+          this.log('error', `Failed to roll back rule: ${err}`);
         }
-        throw err;
       }
     }
   }
 
   /**
-   * Removes the iptables rules that were added in start(), by matching the unique comment.
+   * Sets up iptables rules for port forwarding with enhanced features
    */
-  public async stop(): Promise<void> {
-    if (!this.rulesInstalled) return;
-
-    const dnatDelCmd = `iptables -t nat -D PREROUTING -p tcp --dport ${this.settings.fromPort} ` +
-      `-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
-      `-m comment --comment "${this.ruleTag}:DNAT"`;
-    try {
-      await execAsync(dnatDelCmd);
-      console.log(`Removed iptables rule: ${dnatDelCmd}`);
-    } catch (err) {
-      console.error(`Failed to remove iptables DNAT rule: ${err}`);
+  public async start(): Promise<void> {
+    // Optionally clean the slate first
+    if (this.settings.forceCleanSlate) {
+      await IPTablesProxy.cleanSlate();
     }
-
-    if (!this.settings.preserveSourceIP) {
-      const masqueradeDelCmd = `iptables -t nat -D POSTROUTING -p tcp -d ${this.settings.toHost} ` +
-        `--dport ${this.settings.toPort} -j MASQUERADE ` +
-        `-m comment --comment "${this.ruleTag}:MASQ"`;
-      try {
-        await execAsync(masqueradeDelCmd);
-        console.log(`Removed iptables rule: ${masqueradeDelCmd}`);
-      } catch (err) {
-        console.error(`Failed to remove iptables MASQUERADE rule: ${err}`);
+    
+    // First set up any custom chains
+    if (this.settings.addJumpRule) {
+      const chainSetupSuccess = await this.setupCustomChain();
+      if (!chainSetupSuccess) {
+        throw new Error('Failed to set up custom chain');
+      }
+      
+      // For IPv6 if enabled
+      if (this.settings.ipv6Support) {
+        const chainSetupSuccessIpv6 = await this.setupCustomChain(true);
+        if (!chainSetupSuccessIpv6) {
+          this.log('warn', 'Failed to set up IPv6 custom chain, continuing with IPv4 only');
+        }
       }
     }
+    
+    // Add source IP filters
+    await this.addSourceIPFilter();
+    if (this.settings.ipv6Support) {
+      await this.addSourceIPFilter(true);
+    }
+    
+    // Set up NetworkProxy integration if enabled
+    if (this.settings.netProxyIntegration?.enabled) {
+      const netProxySetupSuccess = await this.setupNetworkProxyIntegration();
+      if (!netProxySetupSuccess) {
+        this.log('warn', 'Failed to set up NetworkProxy integration');
+      }
+      
+      if (this.settings.ipv6Support) {
+        await this.setupNetworkProxyIntegration(true);
+      }
+    }
+    
+    // Normalize port specifications
+    const fromPortRanges = this.normalizePortSpec(this.settings.fromPort);
+    const toPortRanges = this.normalizePortSpec(this.settings.toPort);
+    
+    // Handle the case where fromPort and toPort counts don't match
+    if (fromPortRanges.length !== toPortRanges.length) {
+      if (toPortRanges.length === 1) {
+        // If there's only one toPort, use it for all fromPorts
+        for (const fromRange of fromPortRanges) {
+          await this.addPortForwardingRule(fromRange, toPortRanges[0]);
+          
+          if (this.settings.ipv6Support) {
+            await this.addPortForwardingRule(fromRange, toPortRanges[0], true);
+          }
+        }
+      } else {
+        throw new Error('Mismatched port counts: fromPort and toPort arrays must have equal length or toPort must be a single value');
+      }
+    } else {
+      // Add port forwarding rules for each port specification
+      for (let i = 0; i < fromPortRanges.length; i++) {
+        await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i]);
+        
+        if (this.settings.ipv6Support) {
+          await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i], true);
+        }
+      }
+    }
+    
+    // Final check - ensure we have at least one rule added
+    if (this.rules.filter(r => r.added).length === 0) {
+      throw new Error('No rules were added');
+    }
+  }
 
-    this.rulesInstalled = false;
+  /**
+   * Removes all added iptables rules
+   */
+  public async stop(): Promise<void> {
+    // Process rules in reverse order (LIFO)
+    for (let i = this.rules.length - 1; i >= 0; i--) {
+      const rule = this.rules[i];
+      
+      if (rule.added) {
+        try {
+          // Convert -A (add) to -D (delete)
+          const deleteCommand = rule.command.replace('-A', '-D');
+          await execAsync(deleteCommand);
+          this.log('info', `Removed rule: ${deleteCommand}`);
+          
+          rule.added = false;
+        } catch (err) {
+          this.log('error', `Failed to remove rule: ${err}`);
+        }
+      }
+    }
+    
+    // If we created a custom chain, we need to clean it up
+    if (this.customChain) {
+      try {
+        // First flush the chain
+        await execAsync(`iptables -t nat -F ${this.customChain}`);
+        this.log('info', `Flushed custom chain: ${this.customChain}`);
+        
+        // Then delete it
+        await execAsync(`iptables -t nat -X ${this.customChain}`);
+        this.log('info', `Deleted custom chain: ${this.customChain}`);
+        
+        // Same for IPv6 if enabled
+        if (this.settings.ipv6Support) {
+          try {
+            await execAsync(`ip6tables -t nat -F ${this.customChain}`);
+            await execAsync(`ip6tables -t nat -X ${this.customChain}`);
+            this.log('info', `Deleted IPv6 custom chain: ${this.customChain}`);
+          } catch (err) {
+            this.log('error', `Failed to delete IPv6 custom chain: ${err}`);
+          }
+        }
+      } catch (err) {
+        this.log('error', `Failed to delete custom chain: ${err}`);
+      }
+    }
+    
+    // Clear rules array
+    this.rules = [];
+  }
+
+  /**
+   * Synchronous version of stop, for use in exit handlers
+   */
+  public stopSync(): void {
+    // Process rules in reverse order (LIFO)
+    for (let i = this.rules.length - 1; i >= 0; i--) {
+      const rule = this.rules[i];
+      
+      if (rule.added) {
+        try {
+          // Convert -A (add) to -D (delete)
+          const deleteCommand = rule.command.replace('-A', '-D');
+          execSync(deleteCommand);
+          this.log('info', `Removed rule: ${deleteCommand}`);
+          
+          rule.added = false;
+        } catch (err) {
+          this.log('error', `Failed to remove rule: ${err}`);
+        }
+      }
+    }
+    
+    // If we created a custom chain, we need to clean it up
+    if (this.customChain) {
+      try {
+        // First flush the chain
+        execSync(`iptables -t nat -F ${this.customChain}`);
+        
+        // Then delete it
+        execSync(`iptables -t nat -X ${this.customChain}`);
+        this.log('info', `Deleted custom chain: ${this.customChain}`);
+        
+        // Same for IPv6 if enabled
+        if (this.settings.ipv6Support) {
+          try {
+            execSync(`ip6tables -t nat -F ${this.customChain}`);
+            execSync(`ip6tables -t nat -X ${this.customChain}`);
+          } catch (err) {
+            // IPv6 failures are non-critical
+          }
+        }
+      } catch (err) {
+        this.log('error', `Failed to delete custom chain: ${err}`);
+      }
+    }
+    
+    // Clear rules array
+    this.rules = [];
   }
 
   /**
@@ -130,26 +702,88 @@ export class IPTablesProxy {
    * It looks for rules with comments containing "IPTablesProxy:".
    */
   public static async cleanSlate(): Promise<void> {
+    await IPTablesProxy.cleanSlateInternal();
+    
+    // Also clean IPv6 rules
+    await IPTablesProxy.cleanSlateInternal(true);
+  }
+  
+  /**
+   * Internal implementation of cleanSlate with IPv6 support
+   */
+  private static async cleanSlateInternal(isIpv6: boolean = false): Promise<void> {
+    const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
+    
     try {
-      const { stdout } = await execAsync('iptables-save -t nat');
+      const { stdout } = await execAsync(`${iptablesCmd}-save -t nat`);
       const lines = stdout.split('\n');
       const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
+      
+      // First, find and remove any custom chains
+      const customChains = new Set<string>();
+      const jumpRules: string[] = [];
+      
       for (const line of proxyLines) {
-        const trimmedLine = line.trim();
-        if (trimmedLine.startsWith('-A')) {
-          // Replace the "-A" with "-D" to form a deletion command.
-          const deleteRule = trimmedLine.replace('-A', '-D');
-          const cmd = `iptables -t nat ${deleteRule}`;
-          try {
-            await execAsync(cmd);
-            console.log(`Cleaned up iptables rule: ${cmd}`);
-          } catch (err) {
-            console.error(`Failed to remove iptables rule: ${cmd}`, err);
+        if (line.includes('IPTablesProxy:JUMP')) {
+          // Extract chain name from jump rule
+          const match = line.match(/\s+-j\s+(\S+)\s+/);
+          if (match && match[1].startsWith('IPTablesProxy_')) {
+            customChains.add(match[1]);
+            jumpRules.push(line);
           }
         }
       }
+      
+      // Remove jump rules first
+      for (const line of jumpRules) {
+        const trimmedLine = line.trim();
+        if (trimmedLine.startsWith('-A')) {
+          // Replace the "-A" with "-D" to form a deletion command
+          const deleteRule = trimmedLine.replace('-A', '-D');
+          const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
+          try {
+            await execAsync(cmd);
+            console.log(`Cleaned up iptables jump rule: ${cmd}`);
+          } catch (err) {
+            console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
+          }
+        }
+      }
+      
+      // Then remove all other rules
+      for (const line of proxyLines) {
+        if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
+          const trimmedLine = line.trim();
+          if (trimmedLine.startsWith('-A')) {
+            // Replace the "-A" with "-D" to form a deletion command
+            const deleteRule = trimmedLine.replace('-A', '-D');
+            const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
+            try {
+              await execAsync(cmd);
+              console.log(`Cleaned up iptables rule: ${cmd}`);
+            } catch (err) {
+              console.error(`Failed to remove iptables rule: ${cmd}`, err);
+            }
+          }
+        }
+      }
+      
+      // Finally clean up custom chains
+      for (const chain of customChains) {
+        try {
+          // Flush the chain
+          await execAsync(`${iptablesCmd} -t nat -F ${chain}`);
+          console.log(`Flushed custom chain: ${chain}`);
+          
+          // Delete the chain
+          await execAsync(`${iptablesCmd} -t nat -X ${chain}`);
+          console.log(`Deleted custom chain: ${chain}`);
+        } catch (err) {
+          console.error(`Failed to delete custom chain ${chain}:`, err);
+        }
+      }
     } catch (err) {
-      console.error(`Failed to run iptables-save: ${err}`);
+      console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
     }
   }
 
@@ -159,25 +793,109 @@ export class IPTablesProxy {
    * This method is intended for use in process exit handlers.
    */
   public static cleanSlateSync(): void {
+    IPTablesProxy.cleanSlateSyncInternal();
+    
+    // Also clean IPv6 rules
+    IPTablesProxy.cleanSlateSyncInternal(true);
+  }
+  
+  /**
+   * Internal implementation of cleanSlateSync with IPv6 support
+   */
+  private static cleanSlateSyncInternal(isIpv6: boolean = false): void {
+    const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
+    
     try {
-      const stdout = execSync('iptables-save -t nat').toString();
+      const stdout = execSync(`${iptablesCmd}-save -t nat`).toString();
       const lines = stdout.split('\n');
       const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
+      
+      // First, find and remove any custom chains
+      const customChains = new Set<string>();
+      const jumpRules: string[] = [];
+      
       for (const line of proxyLines) {
-        const trimmedLine = line.trim();
-        if (trimmedLine.startsWith('-A')) {
-          const deleteRule = trimmedLine.replace('-A', '-D');
-          const cmd = `iptables -t nat ${deleteRule}`;
-          try {
-            execSync(cmd);
-            console.log(`Cleaned up iptables rule: ${cmd}`);
-          } catch (err) {
-            console.error(`Failed to remove iptables rule: ${cmd}`, err);
+        if (line.includes('IPTablesProxy:JUMP')) {
+          // Extract chain name from jump rule
+          const match = line.match(/\s+-j\s+(\S+)\s+/);
+          if (match && match[1].startsWith('IPTablesProxy_')) {
+            customChains.add(match[1]);
+            jumpRules.push(line);
           }
         }
       }
+      
+      // Remove jump rules first
+      for (const line of jumpRules) {
+        const trimmedLine = line.trim();
+        if (trimmedLine.startsWith('-A')) {
+          // Replace the "-A" with "-D" to form a deletion command
+          const deleteRule = trimmedLine.replace('-A', '-D');
+          const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
+          try {
+            execSync(cmd);
+            console.log(`Cleaned up iptables jump rule: ${cmd}`);
+          } catch (err) {
+            console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
+          }
+        }
+      }
+      
+      // Then remove all other rules
+      for (const line of proxyLines) {
+        if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
+          const trimmedLine = line.trim();
+          if (trimmedLine.startsWith('-A')) {
+            const deleteRule = trimmedLine.replace('-A', '-D');
+            const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
+            try {
+              execSync(cmd);
+              console.log(`Cleaned up iptables rule: ${cmd}`);
+            } catch (err) {
+              console.error(`Failed to remove iptables rule: ${cmd}`, err);
+            }
+          }
+        }
+      }
+      
+      // Finally clean up custom chains
+      for (const chain of customChains) {
+        try {
+          // Flush the chain
+          execSync(`${iptablesCmd} -t nat -F ${chain}`);
+          
+          // Delete the chain
+          execSync(`${iptablesCmd} -t nat -X ${chain}`);
+          console.log(`Deleted custom chain: ${chain}`);
+        } catch (err) {
+          console.error(`Failed to delete custom chain ${chain}:`, err);
+        }
+      }
     } catch (err) {
-      console.error(`Failed to run iptables-save: ${err}`);
+      console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
+    }
+  }
+  
+  /**
+   * Logging utility that respects the enableLogging setting
+   */
+  private log(level: 'info' | 'warn' | 'error', message: string): void {
+    if (!this.settings.enableLogging && level === 'info') {
+      return;
+    }
+    
+    const timestamp = new Date().toISOString();
+    
+    switch (level) {
+      case 'info':
+        console.log(`[${timestamp}] [INFO] ${message}`);
+        break;
+      case 'warn':
+        console.warn(`[${timestamp}] [WARN] ${message}`);
+        break;
+      case 'error':
+        console.error(`[${timestamp}] [ERROR] ${message}`);
+        break;
     }
   }
 }

ts/classes.pp.acmemanager.ts

@@ -0,0 +1,149 @@
+import type { IPortProxySettings } from './classes.pp.interfaces.js';
+import { NetworkProxyBridge } from './classes.pp.networkproxybridge.js';
+
+/**
+ * Manages ACME certificate operations
+ */
+export class AcmeManager {
+  constructor(
+    private settings: IPortProxySettings,
+    private networkProxyBridge: NetworkProxyBridge
+  ) {}
+  
+  /**
+   * Get current ACME settings
+   */
+  public getAcmeSettings(): IPortProxySettings['acme'] {
+    return this.settings.acme;
+  }
+  
+  /**
+   * Check if ACME is enabled
+   */
+  public isAcmeEnabled(): boolean {
+    return !!this.settings.acme?.enabled;
+  }
+  
+  /**
+   * Update ACME certificate settings
+   */
+  public async updateAcmeSettings(acmeSettings: IPortProxySettings['acme']): Promise<void> {
+    console.log('Updating ACME certificate settings');
+    
+    // Check if enabled state is changing
+    const enabledChanging = this.settings.acme?.enabled !== acmeSettings.enabled;
+    
+    // Update settings
+    this.settings.acme = {
+      ...this.settings.acme,
+      ...acmeSettings,
+    };
+    
+    // Get NetworkProxy instance
+    const networkProxy = this.networkProxyBridge.getNetworkProxy();
+    
+    if (!networkProxy) {
+      console.log('Cannot update ACME settings - NetworkProxy not initialized');
+      return;
+    }
+    
+    try {
+      // If enabled state changed, we need to restart NetworkProxy
+      if (enabledChanging) {
+        console.log(`ACME enabled state changed to: ${acmeSettings.enabled}`);
+        
+        // Stop the current NetworkProxy
+        await this.networkProxyBridge.stop();
+        
+        // Reinitialize with new settings
+        await this.networkProxyBridge.initialize();
+        
+        // Start NetworkProxy with new settings
+        await this.networkProxyBridge.start();
+      } else {
+        // Just update the settings in the existing NetworkProxy
+        console.log('Updating ACME settings in NetworkProxy without restart');
+        
+        // Update settings in NetworkProxy
+        if (networkProxy.options && networkProxy.options.acme) {
+          networkProxy.options.acme = { ...this.settings.acme };
+          
+          // For certificate renewals, we might want to trigger checks with the new settings
+          if (acmeSettings.renewThresholdDays !== undefined) {
+            console.log(`Setting new renewal threshold to ${acmeSettings.renewThresholdDays} days`);
+            networkProxy.options.acme.renewThresholdDays = acmeSettings.renewThresholdDays;
+          }
+          
+          // Update other settings that might affect certificate operations
+          if (acmeSettings.useProduction !== undefined) {
+            console.log(`Setting ACME to ${acmeSettings.useProduction ? 'production' : 'staging'} mode`);
+          }
+          
+          if (acmeSettings.autoRenew !== undefined) {
+            console.log(`Setting auto-renewal to ${acmeSettings.autoRenew ? 'enabled' : 'disabled'}`);
+          }
+        }
+      }
+    } catch (err) {
+      console.log(`Error updating ACME settings: ${err}`);
+    }
+  }
+  
+  /**
+   * Request a certificate for a specific domain
+   */
+  public async requestCertificate(domain: string): Promise<boolean> {
+    // Validate domain format
+    if (!this.isValidDomain(domain)) {
+      console.log(`Invalid domain format: ${domain}`);
+      return false;
+    }
+    
+    // Delegate to NetworkProxyManager
+    return this.networkProxyBridge.requestCertificate(domain);
+  }
+  
+  /**
+   * Basic domain validation
+   */
+  private isValidDomain(domain: string): boolean {
+    // Very basic domain validation
+    if (!domain || domain.length === 0) {
+      return false;
+    }
+    
+    // Check for wildcard domains (they can't get ACME certs)
+    if (domain.includes('*')) {
+      console.log(`Wildcard domains like "${domain}" are not supported for ACME certificates`);
+      return false;
+    }
+    
+    // Check if domain has at least one dot and no invalid characters
+    const validDomainRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+    if (!validDomainRegex.test(domain)) {
+      console.log(`Domain "${domain}" has invalid format`);
+      return false;
+    }
+    
+    return true;
+  }
+  
+  /**
+   * Get eligible domains for ACME certificates
+   */
+  public getEligibleDomains(): string[] {
+    // Collect all eligible domains from domain configs
+    const domains: string[] = [];
+    
+    for (const config of this.settings.domainConfigs) {
+      // Skip domains that can't be used with ACME
+      const eligibleDomains = config.domains.filter(domain => 
+        !domain.includes('*') && this.isValidDomain(domain)
+      );
+      
+      domains.push(...eligibleDomains);
+    }
+    
+    return domains;
+  }
+}

ts/classes.pp.connectionmanager.ts

@@ -0,0 +1,446 @@
+import * as plugins from './plugins.js';
+import type { IConnectionRecord, IPortProxySettings } from './classes.pp.interfaces.js';
+import { SecurityManager } from './classes.pp.securitymanager.js';
+import { TimeoutManager } from './classes.pp.timeoutmanager.js';
+
+/**
+ * Manages connection lifecycle, tracking, and cleanup
+ */
+export class ConnectionManager {
+  private connectionRecords: Map<string, IConnectionRecord> = new Map();
+  private terminationStats: {
+    incoming: Record<string, number>;
+    outgoing: Record<string, number>;
+  } = { incoming: {}, outgoing: {} };
+  
+  constructor(
+    private settings: IPortProxySettings,
+    private securityManager: SecurityManager,
+    private timeoutManager: TimeoutManager
+  ) {}
+  
+  /**
+   * Generate a unique connection ID
+   */
+  public generateConnectionId(): string {
+    return Math.random().toString(36).substring(2, 15) + 
+           Math.random().toString(36).substring(2, 15);
+  }
+  
+  /**
+   * Create and track a new connection
+   */
+  public createConnection(socket: plugins.net.Socket): IConnectionRecord {
+    const connectionId = this.generateConnectionId();
+    const remoteIP = socket.remoteAddress || '';
+    const localPort = socket.localPort || 0;
+
+    const record: IConnectionRecord = {
+      id: connectionId,
+      incoming: socket,
+      outgoing: null,
+      incomingStartTime: Date.now(),
+      lastActivity: Date.now(),
+      connectionClosed: false,
+      pendingData: [],
+      pendingDataSize: 0,
+      bytesReceived: 0,
+      bytesSent: 0,
+      remoteIP,
+      localPort,
+      isTLS: false,
+      tlsHandshakeComplete: false,
+      hasReceivedInitialData: false,
+      hasKeepAlive: false,
+      incomingTerminationReason: null,
+      outgoingTerminationReason: null,
+      usingNetworkProxy: false,
+      isBrowserConnection: false,
+      domainSwitches: 0
+    };
+    
+    this.trackConnection(connectionId, record);
+    return record;
+  }
+  
+  /**
+   * Track an existing connection
+   */
+  public trackConnection(connectionId: string, record: IConnectionRecord): void {
+    this.connectionRecords.set(connectionId, record);
+    this.securityManager.trackConnectionByIP(record.remoteIP, connectionId);
+  }
+  
+  /**
+   * Get a connection by ID
+   */
+  public getConnection(connectionId: string): IConnectionRecord | undefined {
+    return this.connectionRecords.get(connectionId);
+  }
+  
+  /**
+   * Get all active connections
+   */
+  public getConnections(): Map<string, IConnectionRecord> {
+    return this.connectionRecords;
+  }
+  
+  /**
+   * Get count of active connections
+   */
+  public getConnectionCount(): number {
+    return this.connectionRecords.size;
+  }
+  
+  /**
+   * Initiates cleanup once for a connection
+   */
+  public initiateCleanupOnce(record: IConnectionRecord, reason: string = 'normal'): void {
+    if (this.settings.enableDetailedLogging) {
+      console.log(`[${record.id}] Connection cleanup initiated for ${record.remoteIP} (${reason})`);
+    }
+
+    if (
+      record.incomingTerminationReason === null ||
+      record.incomingTerminationReason === undefined
+    ) {
+      record.incomingTerminationReason = reason;
+      this.incrementTerminationStat('incoming', reason);
+    }
+
+    this.cleanupConnection(record, reason);
+  }
+  
+  /**
+   * Clean up a connection record
+   */
+  public cleanupConnection(record: IConnectionRecord, reason: string = 'normal'): void {
+    if (!record.connectionClosed) {
+      record.connectionClosed = true;
+
+      // Track connection termination
+      this.securityManager.removeConnectionByIP(record.remoteIP, record.id);
+
+      if (record.cleanupTimer) {
+        clearTimeout(record.cleanupTimer);
+        record.cleanupTimer = undefined;
+      }
+
+      // Detailed logging data
+      const duration = Date.now() - record.incomingStartTime;
+      const bytesReceived = record.bytesReceived;
+      const bytesSent = record.bytesSent;
+
+      // Remove all data handlers to make sure we clean up properly
+      if (record.incoming) {
+        try {
+          // Remove our safe data handler
+          record.incoming.removeAllListeners('data');
+          // Reset the handler references
+          record.renegotiationHandler = undefined;
+        } catch (err) {
+          console.log(`[${record.id}] Error removing data handlers: ${err}`);
+        }
+      }
+
+      // Handle incoming socket
+      this.cleanupSocket(record, 'incoming', record.incoming);
+      
+      // Handle outgoing socket
+      if (record.outgoing) {
+        this.cleanupSocket(record, 'outgoing', record.outgoing);
+      }
+
+      // Clear pendingData to avoid memory leaks
+      record.pendingData = [];
+      record.pendingDataSize = 0;
+
+      // Remove the record from the tracking map
+      this.connectionRecords.delete(record.id);
+
+      // Log connection details
+      if (this.settings.enableDetailedLogging) {
+        console.log(
+          `[${record.id}] Connection from ${record.remoteIP} on port ${record.localPort} terminated (${reason}).` +
+            ` Duration: ${plugins.prettyMs(duration)}, Bytes IN: ${bytesReceived}, OUT: ${bytesSent}, ` +
+            `TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${record.hasKeepAlive ? 'Yes' : 'No'}` +
+            `${record.usingNetworkProxy ? ', Using NetworkProxy' : ''}` +
+            `${record.domainSwitches ? `, Domain switches: ${record.domainSwitches}` : ''}`
+        );
+      } else {
+        console.log(
+          `[${record.id}] Connection from ${record.remoteIP} terminated (${reason}). Active connections: ${this.connectionRecords.size}`
+        );
+      }
+    }
+  }
+  
+  /**
+   * Helper method to clean up a socket
+   */
+  private cleanupSocket(record: IConnectionRecord, side: 'incoming' | 'outgoing', socket: plugins.net.Socket): void {
+    try {
+      if (!socket.destroyed) {
+        // Try graceful shutdown first, then force destroy after a short timeout
+        socket.end();
+        const socketTimeout = setTimeout(() => {
+          try {
+            if (!socket.destroyed) {
+              socket.destroy();
+            }
+          } catch (err) {
+            console.log(`[${record.id}] Error destroying ${side} socket: ${err}`);
+          }
+        }, 1000);
+
+        // Ensure the timeout doesn't block Node from exiting
+        if (socketTimeout.unref) {
+          socketTimeout.unref();
+        }
+      }
+    } catch (err) {
+      console.log(`[${record.id}] Error closing ${side} socket: ${err}`);
+      try {
+        if (!socket.destroyed) {
+          socket.destroy();
+        }
+      } catch (destroyErr) {
+        console.log(`[${record.id}] Error destroying ${side} socket: ${destroyErr}`);
+      }
+    }
+  }
+  
+  /**
+   * Creates a generic error handler for incoming or outgoing sockets
+   */
+  public handleError(side: 'incoming' | 'outgoing', record: IConnectionRecord) {
+    return (err: Error) => {
+      const code = (err as any).code;
+      let reason = 'error';
+
+      const now = Date.now();
+      const connectionDuration = now - record.incomingStartTime;
+      const lastActivityAge = now - record.lastActivity;
+
+      if (code === 'ECONNRESET') {
+        reason = 'econnreset';
+        console.log(
+          `[${record.id}] ECONNRESET on ${side} side from ${record.remoteIP}: ${err.message}. ` +
+          `Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)} ago`
+        );
+      } else if (code === 'ETIMEDOUT') {
+        reason = 'etimedout';
+        console.log(
+          `[${record.id}] ETIMEDOUT on ${side} side from ${record.remoteIP}: ${err.message}. ` +
+          `Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)} ago`
+        );
+      } else {
+        console.log(
+          `[${record.id}] Error on ${side} side from ${record.remoteIP}: ${err.message}. ` +
+          `Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)} ago`
+        );
+      }
+
+      if (side === 'incoming' && record.incomingTerminationReason === null) {
+        record.incomingTerminationReason = reason;
+        this.incrementTerminationStat('incoming', reason);
+      } else if (side === 'outgoing' && record.outgoingTerminationReason === null) {
+        record.outgoingTerminationReason = reason;
+        this.incrementTerminationStat('outgoing', reason);
+      }
+
+      this.initiateCleanupOnce(record, reason);
+    };
+  }
+  
+  /**
+   * Creates a generic close handler for incoming or outgoing sockets
+   */
+  public handleClose(side: 'incoming' | 'outgoing', record: IConnectionRecord) {
+    return () => {
+      if (this.settings.enableDetailedLogging) {
+        console.log(`[${record.id}] Connection closed on ${side} side from ${record.remoteIP}`);
+      }
+
+      if (side === 'incoming' && record.incomingTerminationReason === null) {
+        record.incomingTerminationReason = 'normal';
+        this.incrementTerminationStat('incoming', 'normal');
+      } else if (side === 'outgoing' && record.outgoingTerminationReason === null) {
+        record.outgoingTerminationReason = 'normal';
+        this.incrementTerminationStat('outgoing', 'normal');
+        // Record the time when outgoing socket closed.
+        record.outgoingClosedTime = Date.now();
+      }
+
+      this.initiateCleanupOnce(record, 'closed_' + side);
+    };
+  }
+  
+  /**
+   * Increment termination statistics
+   */
+  public incrementTerminationStat(side: 'incoming' | 'outgoing', reason: string): void {
+    this.terminationStats[side][reason] = (this.terminationStats[side][reason] || 0) + 1;
+  }
+  
+  /**
+   * Get termination statistics
+   */
+  public getTerminationStats(): { incoming: Record<string, number>; outgoing: Record<string, number> } {
+    return this.terminationStats;
+  }
+  
+  /**
+   * Check for stalled/inactive connections
+   */
+  public performInactivityCheck(): void {
+    const now = Date.now();
+    const connectionIds = [...this.connectionRecords.keys()];
+    
+    for (const id of connectionIds) {
+      const record = this.connectionRecords.get(id);
+      if (!record) continue;
+
+      // Skip inactivity check if disabled or for immortal keep-alive connections
+      if (
+        this.settings.disableInactivityCheck ||
+        (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal')
+      ) {
+        continue;
+      }
+      
+      const inactivityTime = now - record.lastActivity;
+
+      // Use extended timeout for extended-treatment keep-alive connections
+      let effectiveTimeout = this.settings.inactivityTimeout!;
+      if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'extended') {
+        const multiplier = this.settings.keepAliveInactivityMultiplier || 6;
+        effectiveTimeout = effectiveTimeout * multiplier;
+      }
+
+      if (inactivityTime > effectiveTimeout && !record.connectionClosed) {
+        // For keep-alive connections, issue a warning first
+        if (record.hasKeepAlive && !record.inactivityWarningIssued) {
+          console.log(
+            `[${id}] Warning: Keep-alive connection from ${record.remoteIP} inactive for ${
+              plugins.prettyMs(inactivityTime)
+            }. Will close in 10 minutes if no activity.`
+          );
+
+          // Set warning flag and add grace period
+          record.inactivityWarningIssued = true;
+          record.lastActivity = now - (effectiveTimeout - 600000);
+
+          // Try to stimulate activity with a probe packet
+          if (record.outgoing && !record.outgoing.destroyed) {
+            try {
+              record.outgoing.write(Buffer.alloc(0));
+
+              if (this.settings.enableDetailedLogging) {
+                console.log(`[${id}] Sent probe packet to test keep-alive connection`);
+              }
+            } catch (err) {
+              console.log(`[${id}] Error sending probe packet: ${err}`);
+            }
+          }
+        } else {
+          // For non-keep-alive or after warning, close the connection
+          console.log(
+            `[${id}] Inactivity check: No activity on connection from ${record.remoteIP} ` +
+            `for ${plugins.prettyMs(inactivityTime)}.` +
+            (record.hasKeepAlive ? ' Despite keep-alive being enabled.' : '')
+          );
+          this.cleanupConnection(record, 'inactivity');
+        }
+      } else if (inactivityTime <= effectiveTimeout && record.inactivityWarningIssued) {
+        // If activity detected after warning, clear the warning
+        if (this.settings.enableDetailedLogging) {
+          console.log(
+            `[${id}] Connection activity detected after inactivity warning, resetting warning`
+          );
+        }
+        record.inactivityWarningIssued = false;
+      }
+      
+      // Parity check: if outgoing socket closed and incoming remains active
+      if (
+        record.outgoingClosedTime &&
+        !record.incoming.destroyed &&
+        !record.connectionClosed &&
+        now - record.outgoingClosedTime > 120000
+      ) {
+        console.log(
+          `[${id}] Parity check: Incoming socket for ${record.remoteIP} still active ${
+            plugins.prettyMs(now - record.outgoingClosedTime)
+          } after outgoing closed.`
+        );
+        this.cleanupConnection(record, 'parity_check');
+      }
+    }
+  }
+  
+  /**
+   * Clear all connections (for shutdown)
+   */
+  public clearConnections(): void {
+    // Create a copy of the keys to avoid modification during iteration
+    const connectionIds = [...this.connectionRecords.keys()];
+    
+    // First pass: End all connections gracefully
+    for (const id of connectionIds) {
+      const record = this.connectionRecords.get(id);
+      if (record) {
+        try {
+          // Clear any timers
+          if (record.cleanupTimer) {
+            clearTimeout(record.cleanupTimer);
+            record.cleanupTimer = undefined;
+          }
+
+          // End sockets gracefully
+          if (record.incoming && !record.incoming.destroyed) {
+            record.incoming.end();
+          }
+
+          if (record.outgoing && !record.outgoing.destroyed) {
+            record.outgoing.end();
+          }
+        } catch (err) {
+          console.log(`Error during graceful connection end for ${id}: ${err}`);
+        }
+      }
+    }
+
+    // Short delay to allow graceful ends to process
+    setTimeout(() => {
+      // Second pass: Force destroy everything
+      for (const id of connectionIds) {
+        const record = this.connectionRecords.get(id);
+        if (record) {
+          try {
+            // Remove all listeners to prevent memory leaks
+            if (record.incoming) {
+              record.incoming.removeAllListeners();
+              if (!record.incoming.destroyed) {
+                record.incoming.destroy();
+              }
+            }
+
+            if (record.outgoing) {
+              record.outgoing.removeAllListeners();
+              if (!record.outgoing.destroyed) {
+                record.outgoing.destroy();
+              }
+            }
+          } catch (err) {
+            console.log(`Error during forced connection destruction for ${id}: ${err}`);
+          }
+        }
+      }
+      
+      // Clear all maps
+      this.connectionRecords.clear();
+      this.terminationStats = { incoming: {}, outgoing: {} };
+    }, 100);
+  }
+}

ts/classes.pp.domainconfigmanager.ts

@@ -0,0 +1,123 @@
+import * as plugins from './plugins.js';
+import type { IDomainConfig, IPortProxySettings } from './classes.pp.interfaces.js';
+
+/**
+ * Manages domain configurations and target selection
+ */
+export class DomainConfigManager {
+  // Track round-robin indices for domain configs
+  private domainTargetIndices: Map<IDomainConfig, number> = new Map();
+  
+  constructor(private settings: IPortProxySettings) {}
+  
+  /**
+   * Updates the domain configurations
+   */
+  public updateDomainConfigs(newDomainConfigs: IDomainConfig[]): void {
+    this.settings.domainConfigs = newDomainConfigs;
+    
+    // Reset target indices for removed configs
+    const currentConfigSet = new Set(newDomainConfigs);
+    for (const [config] of this.domainTargetIndices) {
+      if (!currentConfigSet.has(config)) {
+        this.domainTargetIndices.delete(config);
+      }
+    }
+  }
+  
+  /**
+   * Get all domain configurations
+   */
+  public getDomainConfigs(): IDomainConfig[] {
+    return this.settings.domainConfigs;
+  }
+  
+  /**
+   * Find domain config matching a server name
+   */
+  public findDomainConfig(serverName: string): IDomainConfig | undefined {
+    if (!serverName) return undefined;
+    
+    return this.settings.domainConfigs.find((config) =>
+      config.domains.some((d) => plugins.minimatch(serverName, d))
+    );
+  }
+  
+  /**
+   * Find domain config for a specific port
+   */
+  public findDomainConfigForPort(port: number): IDomainConfig | undefined {
+    return this.settings.domainConfigs.find(
+      (domain) =>
+        domain.portRanges &&
+        domain.portRanges.length > 0 &&
+        this.isPortInRanges(port, domain.portRanges)
+    );
+  }
+  
+  /**
+   * Check if a port is within any of the given ranges
+   */
+  public isPortInRanges(port: number, ranges: Array<{ from: number; to: number }>): boolean {
+    return ranges.some((range) => port >= range.from && port <= range.to);
+  }
+  
+  /**
+   * Get target IP with round-robin support
+   */
+  public getTargetIP(domainConfig: IDomainConfig): string {
+    if (domainConfig.targetIPs && domainConfig.targetIPs.length > 0) {
+      const currentIndex = this.domainTargetIndices.get(domainConfig) || 0;
+      const ip = domainConfig.targetIPs[currentIndex % domainConfig.targetIPs.length];
+      this.domainTargetIndices.set(domainConfig, currentIndex + 1);
+      return ip;
+    }
+    
+    return this.settings.targetIP || 'localhost';
+  }
+  
+  /**
+   * Checks if a domain should use NetworkProxy
+   */
+  public shouldUseNetworkProxy(domainConfig: IDomainConfig): boolean {
+    return !!domainConfig.useNetworkProxy;
+  }
+  
+  /**
+   * Gets the NetworkProxy port for a domain
+   */
+  public getNetworkProxyPort(domainConfig: IDomainConfig): number | undefined {
+    return domainConfig.useNetworkProxy 
+      ? (domainConfig.networkProxyPort || this.settings.networkProxyPort)
+      : undefined;
+  }
+  
+  /**
+   * Get effective allowed and blocked IPs for a domain
+   */
+  public getEffectiveIPRules(domainConfig: IDomainConfig): {
+    allowedIPs: string[],
+    blockedIPs: string[]
+  } {
+    return {
+      allowedIPs: [
+        ...domainConfig.allowedIPs,
+        ...(this.settings.defaultAllowedIPs || [])
+      ],
+      blockedIPs: [
+        ...(domainConfig.blockedIPs || []),
+        ...(this.settings.defaultBlockedIPs || [])
+      ]
+    };
+  }
+  
+  /**
+   * Get connection timeout for a domain
+   */
+  public getConnectionTimeout(domainConfig?: IDomainConfig): number {
+    if (domainConfig?.connectionTimeout) {
+      return domainConfig.connectionTimeout;
+    }
+    return this.settings.maxConnectionLifetime || 86400000; // 24 hours default
+  }
+}

ts/classes.pp.interfaces.ts

@@ -0,0 +1,136 @@
+import * as plugins from './plugins.js';
+
+/** Domain configuration with per-domain allowed port ranges */
+export interface IDomainConfig {
+  domains: string[]; // Glob patterns for domain(s)
+  allowedIPs: string[]; // Glob patterns for allowed IPs
+  blockedIPs?: string[]; // Glob patterns for blocked IPs
+  targetIPs?: string[]; // If multiple targetIPs are given, use round robin.
+  portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
+  // Allow domain-specific timeout override
+  connectionTimeout?: number; // Connection timeout override (ms)
+
+  // NetworkProxy integration options for this specific domain
+  useNetworkProxy?: boolean; // Whether to use NetworkProxy for this domain
+  networkProxyPort?: number; // Override default NetworkProxy port for this domain
+}
+
+/** Port proxy settings including global allowed port ranges */
+export interface IPortProxySettings {
+  fromPort: number;
+  toPort: number;
+  targetIP?: string; // Global target host to proxy to, defaults to 'localhost'
+  domainConfigs: IDomainConfig[];
+  sniEnabled?: boolean;
+  defaultAllowedIPs?: string[];
+  defaultBlockedIPs?: string[];
+  preserveSourceIP?: boolean;
+
+  // TLS options
+  pfx?: Buffer;
+  key?: string | Buffer | Array<Buffer | string>;
+  passphrase?: string;
+  cert?: string | Buffer | Array<string | Buffer>;
+  ca?: string | Buffer | Array<string | Buffer>;
+  ciphers?: string;
+  honorCipherOrder?: boolean;
+  rejectUnauthorized?: boolean;
+  secureProtocol?: string;
+  servername?: string;
+  minVersion?: string;
+  maxVersion?: string;
+
+  // Timeout settings
+  initialDataTimeout?: number; // Timeout for initial data/SNI (ms), default: 60000 (60s)
+  socketTimeout?: number; // Socket inactivity timeout (ms), default: 3600000 (1h)
+  inactivityCheckInterval?: number; // How often to check for inactive connections (ms), default: 60000 (60s)
+  maxConnectionLifetime?: number; // Default max connection lifetime (ms), default: 86400000 (24h)
+  inactivityTimeout?: number; // Inactivity timeout (ms), default: 14400000 (4h)
+
+  gracefulShutdownTimeout?: number; // (ms) maximum time to wait for connections to close during shutdown
+  globalPortRanges: Array<{ from: number; to: number }>; // Global allowed port ranges
+  forwardAllGlobalRanges?: boolean; // When true, forwards all connections on global port ranges to the global targetIP
+
+  // Socket optimization settings
+  noDelay?: boolean; // Disable Nagle's algorithm (default: true)
+  keepAlive?: boolean; // Enable TCP keepalive (default: true)
+  keepAliveInitialDelay?: number; // Initial delay before sending keepalive probes (ms)
+  maxPendingDataSize?: number; // Maximum bytes to buffer during connection setup
+
+  // Enhanced features
+  disableInactivityCheck?: boolean; // Disable inactivity checking entirely
+  enableKeepAliveProbes?: boolean; // Enable TCP keep-alive probes
+  enableDetailedLogging?: boolean; // Enable detailed connection logging
+  enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
+  enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
+  allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
+
+  // Rate limiting and security
+  maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
+  connectionRateLimitPerMinute?: number; // Max new connections per minute from a single IP
+
+  // Enhanced keep-alive settings
+  keepAliveTreatment?: 'standard' | 'extended' | 'immortal'; // How to treat keep-alive connections
+  keepAliveInactivityMultiplier?: number; // Multiplier for inactivity timeout for keep-alive connections
+  extendedKeepAliveLifetime?: number; // Extended lifetime for keep-alive connections (ms)
+
+  // NetworkProxy integration
+  useNetworkProxy?: number[]; // Array of ports to forward to NetworkProxy
+  networkProxyPort?: number; // Port where NetworkProxy is listening (default: 8443)
+
+  // ACME certificate management options
+  acme?: {
+    enabled?: boolean; // Whether to enable automatic certificate management
+    port?: number; // Port to listen on for ACME challenges (default: 80)
+    contactEmail?: string; // Email for Let's Encrypt account
+    useProduction?: boolean; // Whether to use Let's Encrypt production (default: false for staging)
+    renewThresholdDays?: number; // Days before expiry to renew certificates (default: 30)
+    autoRenew?: boolean; // Whether to automatically renew certificates (default: true)
+    certificateStore?: string; // Directory to store certificates (default: ./certs)
+    skipConfiguredCerts?: boolean; // Skip domains that already have certificates configured
+  };
+}
+
+/**
+ * Enhanced connection record
+ */
+export interface IConnectionRecord {
+  id: string; // Unique connection identifier
+  incoming: plugins.net.Socket;
+  outgoing: plugins.net.Socket | null;
+  incomingStartTime: number;
+  outgoingStartTime?: number;
+  outgoingClosedTime?: number;
+  lockedDomain?: string; // Used to lock this connection to the initial SNI
+  connectionClosed: boolean; // Flag to prevent multiple cleanup attempts
+  cleanupTimer?: NodeJS.Timeout; // Timer for max lifetime/inactivity
+  lastActivity: number; // Last activity timestamp for inactivity detection
+  pendingData: Buffer[]; // Buffer to hold data during connection setup
+  pendingDataSize: number; // Track total size of pending data
+
+  // Enhanced tracking fields
+  bytesReceived: number; // Total bytes received
+  bytesSent: number; // Total bytes sent
+  remoteIP: string; // Remote IP (cached for logging after socket close)
+  localPort: number; // Local port (cached for logging)
+  isTLS: boolean; // Whether this connection is a TLS connection
+  tlsHandshakeComplete: boolean; // Whether the TLS handshake is complete
+  hasReceivedInitialData: boolean; // Whether initial data has been received
+  domainConfig?: IDomainConfig; // Associated domain config for this connection
+
+  // Keep-alive tracking
+  hasKeepAlive: boolean; // Whether keep-alive is enabled for this connection
+  inactivityWarningIssued?: boolean; // Whether an inactivity warning has been issued
+  incomingTerminationReason?: string | null; // Reason for incoming termination
+  outgoingTerminationReason?: string | null; // Reason for outgoing termination
+
+  // NetworkProxy tracking
+  usingNetworkProxy?: boolean; // Whether this connection is using a NetworkProxy
+
+  // Renegotiation handler
+  renegotiationHandler?: (chunk: Buffer) => void; // Handler for renegotiation detection
+
+  // Browser connection tracking
+  isBrowserConnection?: boolean; // Whether this connection appears to be from a browser
+  domainSwitches?: number; // Number of times the domain has been switched on this connection
+}

ts/classes.pp.networkproxybridge.ts

@@ -0,0 +1,258 @@
+import * as plugins from './plugins.js';
+import { NetworkProxy } from './classes.networkproxy.js';
+import type { IConnectionRecord, IPortProxySettings, IDomainConfig } from './classes.pp.interfaces.js';
+
+/**
+ * Manages NetworkProxy integration for TLS termination
+ */
+export class NetworkProxyBridge {
+  private networkProxy: NetworkProxy | null = null;
+  
+  constructor(private settings: IPortProxySettings) {}
+  
+  /**
+   * Initialize NetworkProxy instance
+   */
+  public async initialize(): Promise<void> {
+    if (!this.networkProxy && this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0) {
+      // Configure NetworkProxy options based on PortProxy settings
+      const networkProxyOptions: any = {
+        port: this.settings.networkProxyPort!,
+        portProxyIntegration: true,
+        logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info',
+      };
+
+      // Add ACME settings if configured
+      if (this.settings.acme) {
+        networkProxyOptions.acme = { ...this.settings.acme };
+      }
+
+      this.networkProxy = new NetworkProxy(networkProxyOptions);
+
+      console.log(`Initialized NetworkProxy on port ${this.settings.networkProxyPort}`);
+
+      // Convert and apply domain configurations to NetworkProxy
+      await this.syncDomainConfigsToNetworkProxy();
+    }
+  }
+  
+  /**
+   * Get the NetworkProxy instance
+   */
+  public getNetworkProxy(): NetworkProxy | null {
+    return this.networkProxy;
+  }
+  
+  /**
+   * Get the NetworkProxy port
+   */
+  public getNetworkProxyPort(): number {
+    return this.networkProxy ? this.networkProxy.getListeningPort() : this.settings.networkProxyPort || 8443;
+  }
+  
+  /**
+   * Start NetworkProxy
+   */
+  public async start(): Promise<void> {
+    if (this.networkProxy) {
+      await this.networkProxy.start();
+      console.log(`NetworkProxy started on port ${this.settings.networkProxyPort}`);
+
+      // Log ACME status
+      if (this.settings.acme?.enabled) {
+        console.log(
+          `ACME certificate management is enabled (${
+            this.settings.acme.useProduction ? 'Production' : 'Staging'
+          } mode)`
+        );
+        console.log(`ACME HTTP challenge server on port ${this.settings.acme.port}`);
+
+        // Register domains for ACME certificates if enabled
+        if (this.networkProxy.options.acme?.enabled) {
+          console.log('Registering domains with ACME certificate manager...');
+          // The NetworkProxy will handle this internally via registerDomainsWithAcmeManager()
+        }
+      }
+    }
+  }
+  
+  /**
+   * Stop NetworkProxy
+   */
+  public async stop(): Promise<void> {
+    if (this.networkProxy) {
+      try {
+        console.log('Stopping NetworkProxy...');
+        await this.networkProxy.stop();
+        console.log('NetworkProxy stopped successfully');
+
+        // Log ACME shutdown if it was enabled
+        if (this.settings.acme?.enabled) {
+          console.log('ACME certificate manager stopped');
+        }
+      } catch (err) {
+        console.log(`Error stopping NetworkProxy: ${err}`);
+      }
+    }
+  }
+  
+  /**
+   * Forwards a TLS connection to a NetworkProxy for handling
+   */
+  public forwardToNetworkProxy(
+    connectionId: string,
+    socket: plugins.net.Socket,
+    record: IConnectionRecord,
+    initialData: Buffer,
+    customProxyPort?: number,
+    onError?: (reason: string) => void
+  ): void {
+    // Ensure NetworkProxy is initialized
+    if (!this.networkProxy) {
+      console.log(
+        `[${connectionId}] NetworkProxy not initialized. Cannot forward connection.`
+      );
+      if (onError) {
+        onError('network_proxy_not_initialized');
+      }
+      return;
+    }
+
+    // Use the custom port if provided, otherwise use the default NetworkProxy port
+    const proxyPort = customProxyPort || this.networkProxy.getListeningPort();
+    const proxyHost = 'localhost'; // Assuming NetworkProxy runs locally
+
+    if (this.settings.enableDetailedLogging) {
+      console.log(
+        `[${connectionId}] Forwarding TLS connection to NetworkProxy at ${proxyHost}:${proxyPort}`
+      );
+    }
+
+    // Create a connection to the NetworkProxy
+    const proxySocket = plugins.net.connect({
+      host: proxyHost,
+      port: proxyPort,
+    });
+
+    // Store the outgoing socket in the record
+    record.outgoing = proxySocket;
+    record.outgoingStartTime = Date.now();
+    record.usingNetworkProxy = true;
+
+    // Set up error handlers
+    proxySocket.on('error', (err) => {
+      console.log(`[${connectionId}] Error connecting to NetworkProxy: ${err.message}`);
+      if (onError) {
+        onError('network_proxy_connect_error');
+      }
+    });
+
+    // Handle connection to NetworkProxy
+    proxySocket.on('connect', () => {
+      if (this.settings.enableDetailedLogging) {
+        console.log(`[${connectionId}] Connected to NetworkProxy at ${proxyHost}:${proxyPort}`);
+      }
+
+      // First send the initial data that contains the TLS ClientHello
+      proxySocket.write(initialData);
+
+      // Now set up bidirectional piping between client and NetworkProxy
+      socket.pipe(proxySocket);
+      proxySocket.pipe(socket);
+
+      // Update activity on data transfer (caller should handle this)
+      if (this.settings.enableDetailedLogging) {
+        console.log(`[${connectionId}] TLS connection successfully forwarded to NetworkProxy`);
+      }
+    });
+  }
+  
+  /**
+   * Synchronizes domain configurations to NetworkProxy
+   */
+  public async syncDomainConfigsToNetworkProxy(): Promise<void> {
+    if (!this.networkProxy) {
+      console.log('Cannot sync configurations - NetworkProxy not initialized');
+      return;
+    }
+
+    try {
+      // Get SSL certificates from assets
+      // Import fs directly since it's not in plugins
+      const fs = await import('fs');
+
+      let certPair;
+      try {
+        certPair = {
+          key: fs.readFileSync('assets/certs/key.pem', 'utf8'),
+          cert: fs.readFileSync('assets/certs/cert.pem', 'utf8'),
+        };
+      } catch (certError) {
+        console.log(`Warning: Could not read default certificates: ${certError}`);
+        console.log(
+          'Using empty certificate placeholders - ACME will generate proper certificates if enabled'
+        );
+
+        // Use empty placeholders - NetworkProxy will use its internal defaults
+        // or ACME will generate proper ones if enabled
+        certPair = {
+          key: '',
+          cert: '',
+        };
+      }
+
+      // Convert domain configs to NetworkProxy configs
+      const proxyConfigs = this.networkProxy.convertPortProxyConfigs(
+        this.settings.domainConfigs,
+        certPair
+      );
+
+      // Log ACME-eligible domains if ACME is enabled
+      if (this.settings.acme?.enabled) {
+        const acmeEligibleDomains = proxyConfigs
+          .filter((config) => !config.hostName.includes('*')) // Exclude wildcards
+          .map((config) => config.hostName);
+
+        if (acmeEligibleDomains.length > 0) {
+          console.log(`Domains eligible for ACME certificates: ${acmeEligibleDomains.join(', ')}`);
+        } else {
+          console.log('No domains eligible for ACME certificates found in configuration');
+        }
+      }
+
+      // Update NetworkProxy with the converted configs
+      await this.networkProxy.updateProxyConfigs(proxyConfigs);
+      console.log(`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`);
+    } catch (err) {
+      console.log(`Failed to sync configurations: ${err}`);
+    }
+  }
+  
+  /**
+   * Request a certificate for a specific domain
+   */
+  public async requestCertificate(domain: string): Promise<boolean> {
+    if (!this.networkProxy) {
+      console.log('Cannot request certificate - NetworkProxy not initialized');
+      return false;
+    }
+
+    if (!this.settings.acme?.enabled) {
+      console.log('Cannot request certificate - ACME is not enabled');
+      return false;
+    }
+
+    try {
+      const result = await this.networkProxy.requestCertificate(domain);
+      if (result) {
+        console.log(`Certificate request for ${domain} submitted successfully`);
+      } else {
+        console.log(`Certificate request for ${domain} failed`);
+      }
+      return result;
+    } catch (err) {
+      console.log(`Error requesting certificate: ${err}`);
+      return false;
+    }
+  }
+}

ts/classes.pp.portproxy.ts

@@ -0,0 +1,344 @@
+import * as plugins from './plugins.js';
+import type { IPortProxySettings, IDomainConfig } from './classes.pp.interfaces.js';
+import { ConnectionManager } from './classes.pp.connectionmanager.js';
+import { SecurityManager } from './classes.pp.securitymanager.js';
+import { DomainConfigManager } from './classes.pp.domainconfigmanager.js';
+import { TlsManager } from './classes.pp.tlsmanager.js';
+import { NetworkProxyBridge } from './classes.pp.networkproxybridge.js';
+import { TimeoutManager } from './classes.pp.timeoutmanager.js';
+import { AcmeManager } from './classes.pp.acmemanager.js';
+import { PortRangeManager } from './classes.pp.portrangemanager.js';
+import { ConnectionHandler } from './classes.pp.connectionhandler.js';
+
+/**
+ * PortProxy - Main class that coordinates all components
+ */
+export class PortProxy {
+  private netServers: plugins.net.Server[] = [];
+  private connectionLogger: NodeJS.Timeout | null = null;
+  private isShuttingDown: boolean = false;
+  
+  // Component managers
+  private connectionManager: ConnectionManager;
+  private securityManager: SecurityManager;
+  public domainConfigManager: DomainConfigManager;
+  private tlsManager: TlsManager;
+  private networkProxyBridge: NetworkProxyBridge;
+  private timeoutManager: TimeoutManager;
+  private acmeManager: AcmeManager;
+  private portRangeManager: PortRangeManager;
+  private connectionHandler: ConnectionHandler;
+  
+  constructor(settingsArg: IPortProxySettings) {
+    // Set reasonable defaults for all settings
+    this.settings = {
+      ...settingsArg,
+      targetIP: settingsArg.targetIP || 'localhost',
+      initialDataTimeout: settingsArg.initialDataTimeout || 120000,
+      socketTimeout: settingsArg.socketTimeout || 3600000,
+      inactivityCheckInterval: settingsArg.inactivityCheckInterval || 60000,
+      maxConnectionLifetime: settingsArg.maxConnectionLifetime || 86400000,
+      inactivityTimeout: settingsArg.inactivityTimeout || 14400000,
+      gracefulShutdownTimeout: settingsArg.gracefulShutdownTimeout || 30000,
+      noDelay: settingsArg.noDelay !== undefined ? settingsArg.noDelay : true,
+      keepAlive: settingsArg.keepAlive !== undefined ? settingsArg.keepAlive : true,
+      keepAliveInitialDelay: settingsArg.keepAliveInitialDelay || 10000,
+      maxPendingDataSize: settingsArg.maxPendingDataSize || 10 * 1024 * 1024,
+      disableInactivityCheck: settingsArg.disableInactivityCheck || false,
+      enableKeepAliveProbes: 
+        settingsArg.enableKeepAliveProbes !== undefined ? settingsArg.enableKeepAliveProbes : true,
+      enableDetailedLogging: settingsArg.enableDetailedLogging || false,
+      enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
+      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
+      allowSessionTicket: 
+        settingsArg.allowSessionTicket !== undefined ? settingsArg.allowSessionTicket : true,
+      maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
+      connectionRateLimitPerMinute: settingsArg.connectionRateLimitPerMinute || 300,
+      keepAliveTreatment: settingsArg.keepAliveTreatment || 'extended',
+      keepAliveInactivityMultiplier: settingsArg.keepAliveInactivityMultiplier || 6,
+      extendedKeepAliveLifetime: settingsArg.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000,
+      networkProxyPort: settingsArg.networkProxyPort || 8443,
+      acme: settingsArg.acme || {
+        enabled: false,
+        port: 80,
+        contactEmail: 'admin@example.com',
+        useProduction: false,
+        renewThresholdDays: 30,
+        autoRenew: true,
+        certificateStore: './certs',
+        skipConfiguredCerts: false,
+      },
+    };
+    
+    // Initialize component managers
+    this.timeoutManager = new TimeoutManager(this.settings);
+    this.securityManager = new SecurityManager(this.settings);
+    this.connectionManager = new ConnectionManager(
+      this.settings, 
+      this.securityManager, 
+      this.timeoutManager
+    );
+    this.domainConfigManager = new DomainConfigManager(this.settings);
+    this.tlsManager = new TlsManager(this.settings);
+    this.networkProxyBridge = new NetworkProxyBridge(this.settings);
+    this.portRangeManager = new PortRangeManager(this.settings);
+    this.acmeManager = new AcmeManager(this.settings, this.networkProxyBridge);
+    
+    // Initialize connection handler
+    this.connectionHandler = new ConnectionHandler(
+      this.settings,
+      this.connectionManager,
+      this.securityManager,
+      this.domainConfigManager,
+      this.tlsManager,
+      this.networkProxyBridge,
+      this.timeoutManager,
+      this.portRangeManager
+    );
+  }
+  
+  /**
+   * The settings for the port proxy
+   */
+  public settings: IPortProxySettings;
+  
+  /**
+   * Start the proxy server
+   */
+  public async start() {
+    // Don't start if already shutting down
+    if (this.isShuttingDown) {
+      console.log("Cannot start PortProxy while it's shutting down");
+      return;
+    }
+
+    // Initialize and start NetworkProxy if needed
+    if (
+      this.settings.useNetworkProxy &&
+      this.settings.useNetworkProxy.length > 0
+    ) {
+      await this.networkProxyBridge.initialize();
+      await this.networkProxyBridge.start();
+    }
+
+    // Validate port configuration
+    const configWarnings = this.portRangeManager.validateConfiguration();
+    if (configWarnings.length > 0) {
+      console.log("Port configuration warnings:");
+      for (const warning of configWarnings) {
+        console.log(` - ${warning}`);
+      }
+    }
+
+    // Get listening ports from PortRangeManager
+    const listeningPorts = this.portRangeManager.getListeningPorts();
+
+    // Create servers for each port
+    for (const port of listeningPorts) {
+      const server = plugins.net.createServer((socket) => {
+        // Check if shutting down
+        if (this.isShuttingDown) {
+          socket.end();
+          socket.destroy();
+          return;
+        }
+        
+        // Delegate to connection handler
+        this.connectionHandler.handleConnection(socket);
+      }).on('error', (err: Error) => {
+        console.log(`Server Error on port ${port}: ${err.message}`);
+      });
+      
+      server.listen(port, () => {
+        const isNetworkProxyPort = this.settings.useNetworkProxy?.includes(port);
+        console.log(
+          `PortProxy -> OK: Now listening on port ${port}${
+            this.settings.sniEnabled && !isNetworkProxyPort ? ' (SNI passthrough enabled)' : ''
+          }${isNetworkProxyPort ? ' (NetworkProxy forwarding enabled)' : ''}`
+        );
+      });
+      
+      this.netServers.push(server);
+    }
+
+    // Set up periodic connection logging and inactivity checks
+    this.connectionLogger = setInterval(() => {
+      // Immediately return if shutting down
+      if (this.isShuttingDown) return;
+
+      // Perform inactivity check
+      this.connectionManager.performInactivityCheck();
+
+      // Log connection statistics
+      const now = Date.now();
+      let maxIncoming = 0;
+      let maxOutgoing = 0;
+      let tlsConnections = 0;
+      let nonTlsConnections = 0;
+      let completedTlsHandshakes = 0;
+      let pendingTlsHandshakes = 0;
+      let keepAliveConnections = 0;
+      let networkProxyConnections = 0;
+      
+      // Get connection records for analysis
+      const connectionRecords = this.connectionManager.getConnections();
+      
+      // Analyze active connections
+      for (const record of connectionRecords.values()) {
+        // Track connection stats
+        if (record.isTLS) {
+          tlsConnections++;
+          if (record.tlsHandshakeComplete) {
+            completedTlsHandshakes++;
+          } else {
+            pendingTlsHandshakes++;
+          }
+        } else {
+          nonTlsConnections++;
+        }
+
+        if (record.hasKeepAlive) {
+          keepAliveConnections++;
+        }
+
+        if (record.usingNetworkProxy) {
+          networkProxyConnections++;
+        }
+
+        maxIncoming = Math.max(maxIncoming, now - record.incomingStartTime);
+        if (record.outgoingStartTime) {
+          maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
+        }
+      }
+
+      // Get termination stats
+      const terminationStats = this.connectionManager.getTerminationStats();
+
+      // Log detailed stats
+      console.log(
+        `Active connections: ${connectionRecords.size}. ` +
+        `Types: TLS=${tlsConnections} (Completed=${completedTlsHandshakes}, Pending=${pendingTlsHandshakes}), ` +
+        `Non-TLS=${nonTlsConnections}, KeepAlive=${keepAliveConnections}, NetworkProxy=${networkProxyConnections}. ` +
+        `Longest running: IN=${plugins.prettyMs(maxIncoming)}, OUT=${plugins.prettyMs(maxOutgoing)}. ` +
+        `Termination stats: ${JSON.stringify({
+          IN: terminationStats.incoming,
+          OUT: terminationStats.outgoing,
+        })}`
+      );
+    }, this.settings.inactivityCheckInterval || 60000);
+
+    // Make sure the interval doesn't keep the process alive
+    if (this.connectionLogger.unref) {
+      this.connectionLogger.unref();
+    }
+  }
+  
+  /**
+   * Stop the proxy server
+   */
+  public async stop() {
+    console.log('PortProxy shutting down...');
+    this.isShuttingDown = true;
+
+    // Stop accepting new connections
+    const closeServerPromises: Promise<void>[] = this.netServers.map(
+      (server) =>
+        new Promise<void>((resolve) => {
+          if (!server.listening) {
+            resolve();
+            return;
+          }
+          server.close((err) => {
+            if (err) {
+              console.log(`Error closing server: ${err.message}`);
+            }
+            resolve();
+          });
+        })
+    );
+
+    // Stop the connection logger
+    if (this.connectionLogger) {
+      clearInterval(this.connectionLogger);
+      this.connectionLogger = null;
+    }
+
+    // Wait for servers to close
+    await Promise.all(closeServerPromises);
+    console.log('All servers closed. Cleaning up active connections...');
+
+    // Clean up all active connections
+    this.connectionManager.clearConnections();
+
+    // Stop NetworkProxy
+    await this.networkProxyBridge.stop();
+
+    // Clear all servers
+    this.netServers = [];
+
+    console.log('PortProxy shutdown complete.');
+  }
+  
+  /**
+   * Updates the domain configurations for the proxy
+   */
+  public async updateDomainConfigs(newDomainConfigs: IDomainConfig[]): Promise<void> {
+    console.log(`Updating domain configurations (${newDomainConfigs.length} configs)`);
+    
+    // Update domain configs in DomainConfigManager
+    this.domainConfigManager.updateDomainConfigs(newDomainConfigs);
+    
+    // If NetworkProxy is initialized, resync the configurations
+    if (this.networkProxyBridge.getNetworkProxy()) {
+      await this.networkProxyBridge.syncDomainConfigsToNetworkProxy();
+    }
+  }
+  
+  /**
+   * Updates the ACME certificate settings
+   */
+  public async updateAcmeSettings(acmeSettings: IPortProxySettings['acme']): Promise<void> {
+    console.log('Updating ACME certificate settings');
+    
+    // Delegate to AcmeManager
+    await this.acmeManager.updateAcmeSettings(acmeSettings);
+  }
+  
+  /**
+   * Requests a certificate for a specific domain
+   */
+  public async requestCertificate(domain: string): Promise<boolean> {
+    // Delegate to AcmeManager
+    return this.acmeManager.requestCertificate(domain);
+  }
+  
+  /**
+   * Get statistics about current connections
+   */
+  public getStatistics(): any {
+    const connectionRecords = this.connectionManager.getConnections();
+    const terminationStats = this.connectionManager.getTerminationStats();
+    
+    let tlsConnections = 0;
+    let nonTlsConnections = 0;
+    let keepAliveConnections = 0;
+    let networkProxyConnections = 0;
+    
+    // Analyze active connections
+    for (const record of connectionRecords.values()) {
+      if (record.isTLS) tlsConnections++;
+      else nonTlsConnections++;
+      if (record.hasKeepAlive) keepAliveConnections++;
+      if (record.usingNetworkProxy) networkProxyConnections++;
+    }
+    
+    return {
+      activeConnections: connectionRecords.size,
+      tlsConnections,
+      nonTlsConnections,
+      keepAliveConnections,
+      networkProxyConnections,
+      terminationStats
+    };
+  }
+}

ts/classes.pp.portrangemanager.ts

@@ -0,0 +1,214 @@
+import type{ IPortProxySettings } from './classes.pp.interfaces.js';
+
+/**
+ * Manages port ranges and port-based configuration
+ */
+export class PortRangeManager {
+  constructor(private settings: IPortProxySettings) {}
+  
+  /**
+   * Get all ports that should be listened on
+   */
+  public getListeningPorts(): Set<number> {
+    const listeningPorts = new Set<number>();
+    
+    // Always include the main fromPort
+    listeningPorts.add(this.settings.fromPort);
+    
+    // Add ports from global port ranges if defined
+    if (this.settings.globalPortRanges && this.settings.globalPortRanges.length > 0) {
+      for (const range of this.settings.globalPortRanges) {
+        for (let port = range.from; port <= range.to; port++) {
+          listeningPorts.add(port);
+        }
+      }
+    }
+    
+    return listeningPorts;
+  }
+  
+  /**
+   * Check if a port should use NetworkProxy for forwarding
+   */
+  public shouldUseNetworkProxy(port: number): boolean {
+    return !!this.settings.useNetworkProxy && this.settings.useNetworkProxy.includes(port);
+  }
+  
+  /**
+   * Check if port should use global forwarding
+   */
+  public shouldUseGlobalForwarding(port: number): boolean {
+    return (
+      !!this.settings.forwardAllGlobalRanges &&
+      this.isPortInGlobalRanges(port)
+    );
+  }
+  
+  /**
+   * Check if a port is in global ranges
+   */
+  public isPortInGlobalRanges(port: number): boolean {
+    return (
+      this.settings.globalPortRanges &&
+      this.isPortInRanges(port, this.settings.globalPortRanges)
+    );
+  }
+  
+  /**
+   * Check if a port falls within the specified ranges
+   */
+  public isPortInRanges(port: number, ranges: Array<{ from: number; to: number }>): boolean {
+    return ranges.some((range) => port >= range.from && port <= range.to);
+  }
+  
+  /**
+   * Get forwarding port for a specific listening port
+   * This determines what port to connect to on the target
+   */
+  public getForwardingPort(listeningPort: number): number {
+    // If using global forwarding, forward to the original port
+    if (this.settings.forwardAllGlobalRanges && this.isPortInGlobalRanges(listeningPort)) {
+      return listeningPort;
+    }
+    
+    // Otherwise use the configured toPort
+    return this.settings.toPort;
+  }
+  
+  /**
+   * Find domain-specific port ranges that include a given port
+   */
+  public findDomainPortRange(port: number): { 
+    domainIndex: number, 
+    range: { from: number, to: number } 
+  } | undefined {
+    for (let i = 0; i < this.settings.domainConfigs.length; i++) {
+      const domain = this.settings.domainConfigs[i];
+      if (domain.portRanges) {
+        for (const range of domain.portRanges) {
+          if (port >= range.from && port <= range.to) {
+            return { domainIndex: i, range };
+          }
+        }
+      }
+    }
+    return undefined;
+  }
+  
+  /**
+   * Get a list of all configured ports
+   * This includes the fromPort, NetworkProxy ports, and ports from all ranges
+   */
+  public getAllConfiguredPorts(): number[] {
+    const ports = new Set<number>();
+    
+    // Add main listening port
+    ports.add(this.settings.fromPort);
+    
+    // Add NetworkProxy port if configured
+    if (this.settings.networkProxyPort) {
+      ports.add(this.settings.networkProxyPort);
+    }
+    
+    // Add NetworkProxy ports
+    if (this.settings.useNetworkProxy) {
+      for (const port of this.settings.useNetworkProxy) {
+        ports.add(port);
+      }
+    }
+    
+    // Add ACME HTTP challenge port if enabled
+    if (this.settings.acme?.enabled && this.settings.acme.port) {
+      ports.add(this.settings.acme.port);
+    }
+    
+    // Add global port ranges
+    if (this.settings.globalPortRanges) {
+      for (const range of this.settings.globalPortRanges) {
+        for (let port = range.from; port <= range.to; port++) {
+          ports.add(port);
+        }
+      }
+    }
+    
+    // Add domain-specific port ranges
+    for (const domain of this.settings.domainConfigs) {
+      if (domain.portRanges) {
+        for (const range of domain.portRanges) {
+          for (let port = range.from; port <= range.to; port++) {
+            ports.add(port);
+          }
+        }
+      }
+      
+      // Add domain-specific NetworkProxy port if configured
+      if (domain.useNetworkProxy && domain.networkProxyPort) {
+        ports.add(domain.networkProxyPort);
+      }
+    }
+    
+    return Array.from(ports);
+  }
+  
+  /**
+   * Validate port configuration
+   * Returns array of warning messages
+   */
+  public validateConfiguration(): string[] {
+    const warnings: string[] = [];
+    
+    // Check for overlapping port ranges
+    const portMappings = new Map<number, string[]>();
+    
+    // Track global port ranges
+    if (this.settings.globalPortRanges) {
+      for (const range of this.settings.globalPortRanges) {
+        for (let port = range.from; port <= range.to; port++) {
+          if (!portMappings.has(port)) {
+            portMappings.set(port, []);
+          }
+          portMappings.get(port)!.push('Global Port Range');
+        }
+      }
+    }
+    
+    // Track domain-specific port ranges
+    for (const domain of this.settings.domainConfigs) {
+      if (domain.portRanges) {
+        for (const range of domain.portRanges) {
+          for (let port = range.from; port <= range.to; port++) {
+            if (!portMappings.has(port)) {
+              portMappings.set(port, []);
+            }
+            portMappings.get(port)!.push(`Domain: ${domain.domains.join(', ')}`);
+          }
+        }
+      }
+    }
+    
+    // Check for ports with multiple mappings
+    for (const [port, mappings] of portMappings.entries()) {
+      if (mappings.length > 1) {
+        warnings.push(`Port ${port} has multiple mappings: ${mappings.join(', ')}`);
+      }
+    }
+    
+    // Check if main ports are used elsewhere
+    if (portMappings.has(this.settings.fromPort) && portMappings.get(this.settings.fromPort)!.length > 0) {
+      warnings.push(`Main listening port ${this.settings.fromPort} is also used in port ranges`);
+    }
+    
+    if (this.settings.networkProxyPort && portMappings.has(this.settings.networkProxyPort)) {
+      warnings.push(`NetworkProxy port ${this.settings.networkProxyPort} is also used in port ranges`);
+    }
+    
+    // Check ACME port
+    if (this.settings.acme?.enabled && this.settings.acme.port) {
+      if (portMappings.has(this.settings.acme.port)) {
+        warnings.push(`ACME HTTP challenge port ${this.settings.acme.port} is also used in port ranges`);
+      }
+    }
+    
+    return warnings;
+  }
+}

ts/classes.pp.securitymanager.ts

@@ -0,0 +1,147 @@
+import * as plugins from './plugins.js';
+import type { IPortProxySettings } from './classes.pp.interfaces.js';
+
+/**
+ * Handles security aspects like IP tracking, rate limiting, and authorization
+ */
+export class SecurityManager {
+  private connectionsByIP: Map<string, Set<string>> = new Map();
+  private connectionRateByIP: Map<string, number[]> = new Map();
+  
+  constructor(private settings: IPortProxySettings) {}
+  
+  /**
+   * Get connections count by IP
+   */
+  public getConnectionCountByIP(ip: string): number {
+    return this.connectionsByIP.get(ip)?.size || 0;
+  }
+  
+  /**
+   * Check and update connection rate for an IP
+   * @returns true if within rate limit, false if exceeding limit
+   */
+  public checkConnectionRate(ip: string): boolean {
+    const now = Date.now();
+    const minute = 60 * 1000;
+
+    if (!this.connectionRateByIP.has(ip)) {
+      this.connectionRateByIP.set(ip, [now]);
+      return true;
+    }
+
+    // Get timestamps and filter out entries older than 1 minute
+    const timestamps = this.connectionRateByIP.get(ip)!.filter((time) => now - time < minute);
+    timestamps.push(now);
+    this.connectionRateByIP.set(ip, timestamps);
+
+    // Check if rate exceeds limit
+    return timestamps.length <= this.settings.connectionRateLimitPerMinute!;
+  }
+  
+  /**
+   * Track connection by IP
+   */
+  public trackConnectionByIP(ip: string, connectionId: string): void {
+    if (!this.connectionsByIP.has(ip)) {
+      this.connectionsByIP.set(ip, new Set());
+    }
+    this.connectionsByIP.get(ip)!.add(connectionId);
+  }
+  
+  /**
+   * Remove connection tracking for an IP
+   */
+  public removeConnectionByIP(ip: string, connectionId: string): void {
+    if (this.connectionsByIP.has(ip)) {
+      const connections = this.connectionsByIP.get(ip)!;
+      connections.delete(connectionId);
+      if (connections.size === 0) {
+        this.connectionsByIP.delete(ip);
+      }
+    }
+  }
+  
+  /**
+   * Check if an IP is allowed using glob patterns
+   */
+  public isIPAuthorized(ip: string, allowedIPs: string[], blockedIPs: string[] = []): boolean {
+    // Skip IP validation if allowedIPs is empty
+    if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
+      return true;
+    }
+    
+    // First check if IP is blocked
+    if (blockedIPs.length > 0 && this.isGlobIPMatch(ip, blockedIPs)) {
+      return false;
+    }
+    
+    // Then check if IP is allowed
+    return this.isGlobIPMatch(ip, allowedIPs);
+  }
+  
+  /**
+   * Check if the IP matches any of the glob patterns
+   */
+  private isGlobIPMatch(ip: string, patterns: string[]): boolean {
+    if (!ip || !patterns || patterns.length === 0) return false;
+
+    const normalizeIP = (ip: string): string[] => {
+      if (!ip) return [];
+      if (ip.startsWith('::ffff:')) {
+        const ipv4 = ip.slice(7);
+        return [ip, ipv4];
+      }
+      if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+        return [ip, `::ffff:${ip}`];
+      }
+      return [ip];
+    };
+
+    const normalizedIPVariants = normalizeIP(ip);
+    if (normalizedIPVariants.length === 0) return false;
+
+    const expandedPatterns = patterns.flatMap(normalizeIP);
+    return normalizedIPVariants.some((ipVariant) =>
+      expandedPatterns.some((pattern) => plugins.minimatch(ipVariant, pattern))
+    );
+  }
+  
+  /**
+   * Check if IP should be allowed considering connection rate and max connections
+   * @returns Object with result and reason
+   */
+  public validateIP(ip: string): { allowed: boolean; reason?: string } {
+    // Check connection count limit
+    if (
+      this.settings.maxConnectionsPerIP &&
+      this.getConnectionCountByIP(ip) >= this.settings.maxConnectionsPerIP
+    ) {
+      return {
+        allowed: false,
+        reason: `Maximum connections per IP (${this.settings.maxConnectionsPerIP}) exceeded`
+      };
+    }
+
+    // Check connection rate limit
+    if (
+      this.settings.connectionRateLimitPerMinute && 
+      !this.checkConnectionRate(ip)
+    ) {
+      return {
+        allowed: false,
+        reason: `Connection rate limit (${this.settings.connectionRateLimitPerMinute}/min) exceeded`
+      };
+    }
+    
+    return { allowed: true };
+  }
+  
+  /**
+   * Clears all IP tracking data (for shutdown)
+   */
+  public clearIPTracking(): void {
+    this.connectionsByIP.clear();
+    this.connectionRateByIP.clear();
+  }
+}

ts/classes.pp.timeoutmanager.ts

@@ -0,0 +1,190 @@
+import type { IConnectionRecord, IPortProxySettings } from './classes.pp.interfaces.js';
+
+/**
+ * Manages timeouts and inactivity tracking for connections
+ */
+export class TimeoutManager {
+  constructor(private settings: IPortProxySettings) {}
+  
+  /**
+   * Ensure timeout values don't exceed Node.js max safe integer
+   */
+  public ensureSafeTimeout(timeout: number): number {
+    const MAX_SAFE_TIMEOUT = 2147483647; // Maximum safe value (2^31 - 1)
+    return Math.min(Math.floor(timeout), MAX_SAFE_TIMEOUT);
+  }
+  
+  /**
+   * Generate a slightly randomized timeout to prevent thundering herd
+   */
+  public randomizeTimeout(baseTimeout: number, variationPercent: number = 5): number {
+    const safeBaseTimeout = this.ensureSafeTimeout(baseTimeout);
+    const variation = safeBaseTimeout * (variationPercent / 100);
+    return this.ensureSafeTimeout(
+      safeBaseTimeout + Math.floor(Math.random() * variation * 2) - variation
+    );
+  }
+  
+  /**
+   * Update connection activity timestamp
+   */
+  public updateActivity(record: IConnectionRecord): void {
+    record.lastActivity = Date.now();
+
+    // Clear any inactivity warning
+    if (record.inactivityWarningIssued) {
+      record.inactivityWarningIssued = false;
+    }
+  }
+  
+  /**
+   * Calculate effective inactivity timeout based on connection type
+   */
+  public getEffectiveInactivityTimeout(record: IConnectionRecord): number {
+    let effectiveTimeout = this.settings.inactivityTimeout || 14400000; // 4 hours default
+    
+    // For immortal keep-alive connections, use an extremely long timeout
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+      return Number.MAX_SAFE_INTEGER;
+    }
+    
+    // For extended keep-alive connections, apply multiplier
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'extended') {
+      const multiplier = this.settings.keepAliveInactivityMultiplier || 6;
+      effectiveTimeout = effectiveTimeout * multiplier;
+    }
+    
+    return this.ensureSafeTimeout(effectiveTimeout);
+  }
+  
+  /**
+   * Calculate effective max lifetime based on connection type
+   */
+  public getEffectiveMaxLifetime(record: IConnectionRecord): number {
+    // Use domain-specific timeout if available
+    const baseTimeout = record.domainConfig?.connectionTimeout || 
+                        this.settings.maxConnectionLifetime || 
+                        86400000; // 24 hours default
+    
+    // For immortal keep-alive connections, use an extremely long lifetime
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+      return Number.MAX_SAFE_INTEGER;
+    }
+    
+    // For extended keep-alive connections, use the extended lifetime setting
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'extended') {
+      return this.ensureSafeTimeout(
+        this.settings.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000 // 7 days default
+      );
+    }
+    
+    // Apply randomization if enabled
+    if (this.settings.enableRandomizedTimeouts) {
+      return this.randomizeTimeout(baseTimeout);
+    }
+    
+    return this.ensureSafeTimeout(baseTimeout);
+  }
+  
+  /**
+   * Setup connection timeout
+   * @returns The cleanup timer
+   */
+  public setupConnectionTimeout(
+    record: IConnectionRecord, 
+    onTimeout: (record: IConnectionRecord, reason: string) => void
+  ): NodeJS.Timeout {
+    // Clear any existing timer
+    if (record.cleanupTimer) {
+      clearTimeout(record.cleanupTimer);
+    }
+    
+    // Calculate effective timeout
+    const effectiveLifetime = this.getEffectiveMaxLifetime(record);
+    
+    // Set up the timeout
+    const timer = setTimeout(() => {
+      // Call the provided callback
+      onTimeout(record, 'connection_timeout');
+    }, effectiveLifetime);
+    
+    // Make sure timeout doesn't keep the process alive
+    if (timer.unref) {
+      timer.unref();
+    }
+    
+    return timer;
+  }
+  
+  /**
+   * Check for inactivity on a connection
+   * @returns Object with check results
+   */
+  public checkInactivity(record: IConnectionRecord): {
+    isInactive: boolean;
+    shouldWarn: boolean;
+    inactivityTime: number;
+    effectiveTimeout: number;
+  } {
+    // Skip for connections with inactivity check disabled
+    if (this.settings.disableInactivityCheck) {
+      return {
+        isInactive: false,
+        shouldWarn: false,
+        inactivityTime: 0,
+        effectiveTimeout: 0
+      };
+    }
+    
+    // Skip for immortal keep-alive connections
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+      return {
+        isInactive: false,
+        shouldWarn: false,
+        inactivityTime: 0,
+        effectiveTimeout: 0
+      };
+    }
+    
+    const now = Date.now();
+    const inactivityTime = now - record.lastActivity;
+    const effectiveTimeout = this.getEffectiveInactivityTimeout(record);
+    
+    // Check if inactive
+    const isInactive = inactivityTime > effectiveTimeout;
+    
+    // For keep-alive connections, we should warn first
+    const shouldWarn = record.hasKeepAlive && 
+                       isInactive && 
+                       !record.inactivityWarningIssued;
+    
+    return {
+      isInactive,
+      shouldWarn,
+      inactivityTime,
+      effectiveTimeout
+    };
+  }
+  
+  /**
+   * Apply socket timeout settings
+   */
+  public applySocketTimeouts(record: IConnectionRecord): void {
+    // Skip for immortal keep-alive connections
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+      // Disable timeouts completely for immortal connections
+      record.incoming.setTimeout(0);
+      if (record.outgoing) {
+        record.outgoing.setTimeout(0);
+      }
+      return;
+    }
+    
+    // Apply normal timeouts
+    const timeout = this.ensureSafeTimeout(this.settings.socketTimeout || 3600000); // 1 hour default
+    record.incoming.setTimeout(timeout);
+    if (record.outgoing) {
+      record.outgoing.setTimeout(timeout);
+    }
+  }
+}

ts/classes.pp.tlsmanager.ts

@@ -0,0 +1,206 @@
+import * as plugins from './plugins.js';
+import type { IPortProxySettings } from './classes.pp.interfaces.js';
+import { SniHandler } from './classes.pp.snihandler.js';
+
+/**
+ * Interface for connection information used for SNI extraction
+ */
+interface IConnectionInfo {
+  sourceIp: string;
+  sourcePort: number;
+  destIp: string;
+  destPort: number;
+}
+
+/**
+ * Manages TLS-related operations including SNI extraction and validation
+ */
+export class TlsManager {
+  constructor(private settings: IPortProxySettings) {}
+  
+  /**
+   * Check if a data chunk appears to be a TLS handshake
+   */
+  public isTlsHandshake(chunk: Buffer): boolean {
+    return SniHandler.isTlsHandshake(chunk);
+  }
+  
+  /**
+   * Check if a data chunk appears to be a TLS ClientHello
+   */
+  public isClientHello(chunk: Buffer): boolean {
+    return SniHandler.isClientHello(chunk);
+  }
+  
+  /**
+   * Extract Server Name Indication (SNI) from TLS handshake
+   */
+  public extractSNI(
+    chunk: Buffer, 
+    connInfo: IConnectionInfo, 
+    previousDomain?: string
+  ): string | undefined {
+    // Use the SniHandler to process the TLS packet
+    return SniHandler.processTlsPacket(
+      chunk,
+      connInfo,
+      this.settings.enableTlsDebugLogging || false,
+      previousDomain
+    );
+  }
+  
+  /**
+   * Handle session resumption attempts
+   */
+  public handleSessionResumption(
+    chunk: Buffer, 
+    connectionId: string,
+    hasSNI: boolean
+  ): { shouldBlock: boolean; reason?: string } {
+    // Skip if session tickets are allowed
+    if (this.settings.allowSessionTicket !== false) {
+      return { shouldBlock: false };
+    }
+    
+    // Check for session resumption attempt
+    const resumptionInfo = SniHandler.hasSessionResumption(
+      chunk,
+      this.settings.enableTlsDebugLogging || false
+    );
+    
+    // If this is a resumption attempt without SNI, block it
+    if (resumptionInfo.isResumption && !hasSNI && !resumptionInfo.hasSNI) {
+      if (this.settings.enableTlsDebugLogging) {
+        console.log(
+          `[${connectionId}] Session resumption detected without SNI and allowSessionTicket=false. ` +
+          `Terminating connection to force new TLS handshake.`
+        );
+      }
+      return { 
+        shouldBlock: true, 
+        reason: 'session_ticket_blocked' 
+      };
+    }
+    
+    return { shouldBlock: false };
+  }
+  
+  /**
+   * Check for SNI mismatch during renegotiation
+   */
+  public checkRenegotiationSNI(
+    chunk: Buffer,
+    connInfo: IConnectionInfo,
+    expectedDomain: string,
+    connectionId: string
+  ): { hasMismatch: boolean; extractedSNI?: string } {
+    // Only process if this looks like a TLS ClientHello
+    if (!this.isClientHello(chunk)) {
+      return { hasMismatch: false };
+    }
+    
+    try {
+      // Extract SNI with renegotiation support
+      const newSNI = SniHandler.extractSNIWithResumptionSupport(
+        chunk,
+        connInfo,
+        this.settings.enableTlsDebugLogging || false
+      );
+
+      // Skip if no SNI was found
+      if (!newSNI) return { hasMismatch: false };
+
+      // Check for SNI mismatch
+      if (newSNI !== expectedDomain) {
+        if (this.settings.enableTlsDebugLogging) {
+          console.log(
+            `[${connectionId}] Renegotiation with different SNI: ${expectedDomain} -> ${newSNI}. ` +
+            `Terminating connection - SNI domain switching is not allowed.`
+          );
+        }
+        return { hasMismatch: true, extractedSNI: newSNI };
+      } else if (this.settings.enableTlsDebugLogging) {
+        console.log(
+          `[${connectionId}] Renegotiation detected with same SNI: ${newSNI}. Allowing.`
+        );
+      }
+    } catch (err) {
+      console.log(
+        `[${connectionId}] Error processing ClientHello: ${err}. Allowing connection to continue.`
+      );
+    }
+    
+    return { hasMismatch: false };
+  }
+  
+  /**
+   * Create a renegotiation handler function for a connection
+   */
+  public createRenegotiationHandler(
+    connectionId: string,
+    lockedDomain: string,
+    connInfo: IConnectionInfo,
+    onMismatch: (connectionId: string, reason: string) => void
+  ): (chunk: Buffer) => void {
+    return (chunk: Buffer) => {
+      const result = this.checkRenegotiationSNI(chunk, connInfo, lockedDomain, connectionId);
+      if (result.hasMismatch) {
+        onMismatch(connectionId, 'sni_mismatch');
+      }
+    };
+  }
+  
+  /**
+   * Analyze TLS connection for browser fingerprinting
+   * This helps identify browser vs non-browser connections
+   */
+  public analyzeClientHello(chunk: Buffer): { 
+    isBrowserConnection: boolean; 
+    isRenewal: boolean;
+    hasSNI: boolean;
+  } {
+    // Default result
+    const result = { 
+      isBrowserConnection: false, 
+      isRenewal: false,
+      hasSNI: false
+    };
+    
+    try {
+      // Check if it's a ClientHello
+      if (!this.isClientHello(chunk)) {
+        return result;
+      }
+      
+      // Check for session resumption
+      const resumptionInfo = SniHandler.hasSessionResumption(
+        chunk,
+        this.settings.enableTlsDebugLogging || false
+      );
+      
+      // Extract SNI
+      const sni = SniHandler.extractSNI(
+        chunk,
+        this.settings.enableTlsDebugLogging || false
+      );
+      
+      // Update result
+      result.isRenewal = resumptionInfo.isResumption;
+      result.hasSNI = !!sni;
+      
+      // Browsers typically:
+      // 1. Send SNI extension
+      // 2. Have a variety of extensions (ALPN, etc.)
+      // 3. Use standard cipher suites
+      // ...more complex heuristics could be implemented here
+      
+      // Simple heuristic: presence of SNI suggests browser
+      result.isBrowserConnection = !!sni; 
+      
+      return result;
+    } catch (err) {
+      console.log(`Error analyzing ClientHello: ${err}`);
+      return result;
+    }
+  }
+}

ts/classes.router.ts

@@ -19,6 +19,21 @@ export interface IRouterResult {
   pathRemainder?: string;
 }
 
+/**
+ * Router for HTTP reverse proxy requests
+ * 
+ * Supports the following domain matching patterns:
+ * - Exact matches: "example.com"
+ * - Wildcard subdomains: "*.example.com" (matches any subdomain of example.com)
+ * - TLD wildcards: "example.*" (matches example.com, example.org, etc.)
+ * - Complex wildcards: "*.lossless*" (matches any subdomain of any lossless domain)
+ * - Default fallback: "*" (matches any unmatched domain)
+ * 
+ * Also supports path pattern matching for each domain:
+ * - Exact path: "/api/users"
+ * - Wildcard paths: "/api/*" 
+ * - Path parameters: "/users/:id/profile"
+ */
 export class ProxyRouter {
   // Store original configs for reference
   private reverseProxyConfigs: tsclass.network.IReverseProxyConfig[] = [];
@@ -98,9 +113,11 @@ export class ProxyRouter {
       return exactConfig;
     }
     
-    // Try wildcard subdomain
+    // Try various wildcard patterns
     if (hostWithoutPort.includes('.')) {
       const domainParts = hostWithoutPort.split('.');
+      
+      // Try wildcard subdomain (*.example.com)
       if (domainParts.length > 2) {
         const wildcardDomain = `*.${domainParts.slice(1).join('.')}`;
         const wildcardConfig = this.findConfigForHost(wildcardDomain, urlPath);
@@ -108,6 +125,23 @@ export class ProxyRouter {
           return wildcardConfig;
         }
       }
+      
+      // Try TLD wildcard (example.*)
+      const baseDomain = domainParts.slice(0, -1).join('.');
+      const tldWildcardDomain = `${baseDomain}.*`;
+      const tldWildcardConfig = this.findConfigForHost(tldWildcardDomain, urlPath);
+      if (tldWildcardConfig) {
+        return tldWildcardConfig;
+      }
+
+      // Try complex wildcard patterns
+      const wildcardPatterns = this.findWildcardMatches(hostWithoutPort);
+      for (const pattern of wildcardPatterns) {
+        const wildcardConfig = this.findConfigForHost(pattern, urlPath);
+        if (wildcardConfig) {
+          return wildcardConfig;
+        }
+      }
     }
     
     // Fall back to default config if available
@@ -120,6 +154,53 @@ export class ProxyRouter {
     return undefined;
   }
   
+  /**
+   * Find potential wildcard patterns that could match a given hostname
+   * Handles complex patterns like "*.lossless*" or other partial matches
+   * @param hostname The hostname to find wildcard matches for
+   * @returns Array of potential wildcard patterns that could match
+   */
+  private findWildcardMatches(hostname: string): string[] {
+    const patterns: string[] = [];
+    const hostnameParts = hostname.split('.');
+    
+    // Find all configured hostnames that contain wildcards
+    const wildcardConfigs = this.reverseProxyConfigs.filter(
+      config => config.hostName.includes('*')
+    );
+    
+    // Extract unique wildcard patterns
+    const wildcardPatterns = [...new Set(
+      wildcardConfigs.map(config => config.hostName.toLowerCase())
+    )];
+    
+    // For each wildcard pattern, check if it could match the hostname
+    // using simplified regex pattern matching
+    for (const pattern of wildcardPatterns) {
+      // Skip the default wildcard '*'
+      if (pattern === '*') continue;
+      
+      // Skip already checked patterns (*.domain.com and domain.*)
+      if (pattern.startsWith('*.') && pattern.indexOf('*', 2) === -1) continue;
+      if (pattern.endsWith('.*') && pattern.indexOf('*') === pattern.length - 1) continue;
+      
+      // Convert wildcard pattern to regex
+      const regexPattern = pattern
+        .replace(/\./g, '\\.')  // Escape dots
+        .replace(/\*/g, '.*');  // Convert * to .* for regex
+      
+      // Create regex object with case insensitive flag
+      const regex = new RegExp(`^${regexPattern}$`, 'i');
+      
+      // If hostname matches this complex pattern, add it to the list
+      if (regex.test(hostname)) {
+        patterns.push(pattern);
+      }
+    }
+    
+    return patterns;
+  }
+
   /**
    * Find a config for a specific host and path
    */

ts/index.ts

@@ -1,5 +1,6 @@
 export * from './classes.iptablesproxy.js';
 export * from './classes.networkproxy.js';
-export * from './classes.portproxy.js';
+export * from './classes.pp.portproxy.js';
 export * from './classes.port80handler.js';
 export * from './classes.sslredirect.js';
+export * from './classes.pp.snihandler.js';