3.37.0

feat(portproxy): Add ACME certificate management options to PortProxy, update ACME settings handling, and bump dependency versions
3.35.0
2025-03-11 12:56:04 +00:00 · 2025-03-11 12:56:03 +00:00 · 2025-03-11 12:45:55 +00:00 · 2025-03-11 12:45:22 +00:00 · 2025-03-11 12:34:24 +00:00 · 2025-03-11 11:34:29 +00:00
9 changed files with 2661 additions and 1324 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,162 @@
 # Changelog
 ## 2025-03-11 - 3.37.0 - feat(portproxy)
 Add ACME certificate management options to PortProxy, update ACME settings handling, and bump dependency versions
 - Bumped version in package.json from 3.34.0 to 3.36.0 and updated commitinfo accordingly
 - Updated dependencies: @push.rocks/tapbundle to ^5.5.10, @types/node to ^22.13.10, and @tsclass/tsclass to ^5.0.0
 - Added ACME certificate management configuration to PortProxy settings (acme options, updateAcmeSettings, requestCertificate)
 - Enhanced sync of domain configs to NetworkProxy with fallback for missing default certificates
 ## 2025-03-11 - 3.34.0 - feat(core)
 Improve wildcard domain matching and enhance NetworkProxy integration in PortProxy. Added support for TLD wildcards and complex wildcard patterns in the router, and refactored TLS renegotiation handling for stricter SNI enforcement.
 - Added support for TLD wildcard matching (e.g., 'example.*') to improve domain routing.
 - Implemented complex wildcard pattern matching (e.g., '*.lossless*') in the router.
 - Enhanced NetworkProxy integration by initializing a single NetworkProxy instance and forwarding TLS connections accordingly.
 - Refactored TLS renegotiation handling to terminate connections on SNI mismatch for stricter enforcement.
 - Updated tests to cover the new wildcard matching scenarios.
 ## 2025-03-11 - 3.33.0 - feat(portproxy)
 Add browser-friendly mode and SNI renegotiation configuration options to PortProxy
 - Introduce new properties: browserFriendlyMode (default true) to optimize handling for browser connections.
 - Add allowRenegotiationWithDifferentSNI (default false) to enable or disable SNI changes during renegotiation.
 - Include relatedDomainPatterns to define patterns for related domains that can share connections.
 - Update TypeScript interfaces and internal renegotiation logic to support these options.
 ## 2025-03-11 - 3.32.2 - fix(PortProxy)
 Simplify TLS handshake SNI extraction and update timeout settings in PortProxy for improved maintainability and reliability.
 - Removed legacy and deprecated fields related to chained proxy configurations (isChainedProxy, chainPosition, aggressiveTlsRefresh).
 - Refactored the extractSNI functions to use a simpler, more robust approach for TLS ClientHello processing.
 - Adjusted default timeout and keep-alive settings to more standard values (e.g. initialDataTimeout set to 60s, socketTimeout to 1h).
 - Eliminated redundant TLS session cache and deep TLS refresh logic.
 - Improved logging and error handling during connection setup and renegotiation phases.
 ## 2025-03-11 - 3.32.1 - fix(portproxy)
 Relax TLS handshake and connection timeout settings for improved stability in chained proxy scenarios; update TLS session cache defaults and add keep-alive flags to connection records.
 - Increased TLS session cache maximum entries from 10,000 to 20,000, expiry time from 24 hours to 7 days, and cleanup interval from 10 minutes to 30 minutes
 - Relaxed socket timeouts: standalone connections now use up to 6 hours, with chained proxies adjusted for 5–6 hours based on proxy position
 - Updated inactivity, connection, and initial handshake timeouts to provide a more relaxed behavior under high-traffic chained proxy scenarios
 - Increased keepAliveInitialDelay from 10 seconds to 30 seconds and introduced separate incoming and outgoing keep-alive flags
 - Enhanced TLS renegotiation handling with more detailed logging and temporary processing flags to avoid duplicate processing
 - Updated NetworkProxy integration to use optimized connection settings and more aggressive application-level keep-alive probes
 ## 2025-03-11 - 3.32.0 - feat(PortProxy)
 Enhance TLS session cache, SNI extraction, and chained proxy support in PortProxy. Improve handling of multiple and fragmented TLS records, and add new configuration options (isChainedProxy, chainPosition, aggressiveTlsRefresh, tlsSessionCache) for robust TLS certificate refresh.
 - Implement TlsSessionCache with configurable cleanup, eviction, and statistics.
 - Improve extractSNIInfo to process multiple TLS records and partial handshake data.
 - Add new settings to detect chained proxy scenarios and adjust timeouts accordingly.
 - Enhance TLS state refresh with aggressive probing and deep refresh sequence.
 ## 2025-03-11 - 3.31.2 - fix(PortProxy)
 Improve SNI renegotiation handling by adding flexible domain configuration matching on rehandshake and session resumption events.
 - When a rehandshake is detected with a changed SNI, first check existing domain config rules and log if allowed.
 - If the exact domain config is not found, additionally attempt flexible matching using parent domain and wildcard patterns.
 - For resumed sessions, try an exact match first and then use fallback logic to select a similar domain config based on matching target IP.
 - Enhanced logging added to help diagnose missing or mismatched domain configurations.
 ## 2025-03-11 - 3.31.1 - fix(PortProxy)
 Improve TLS handshake buffering and enhance debug logging for SNI forwarding in PortProxy
 - Explicitly copy the initial TLS handshake data to prevent mutation before buffering
 - Log buffered TLS handshake data with SNI information for better diagnostics
 - Add detailed error logs on TLS connection failures, including server and domain config status
 - Output additional debug messages during ClientHello forwarding to verify proper TLS handshake processing
 ## 2025-03-11 - 3.31.0 - feat(PortProxy)
 Improve TLS handshake SNI extraction and add session resumption tracking in PortProxy
 - Added ITlsSessionInfo interface and a global tlsSessionCache to track TLS session IDs for session resumption
 - Implemented a cleanup timer for the TLS session cache with startSessionCleanupTimer and stopSessionCleanupTimer
 - Enhanced extractSNIInfo to return detailed SNI information including session IDs, ticket details, and resumption status
 - Updated renegotiation handlers to use extractSNIInfo for proper SNI extraction during TLS rehandshake
 ## 2025-03-11 - 3.30.8 - fix(core)
 No changes in this commit.
 ## 2025-03-11 - 3.30.7 - fix(PortProxy)
 Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.
 - Added a preliminary check against the original domain config to allow re-handshakes if the new SNI matches allowed patterns.
 - If the original config does not allow, search for an alternative domain config and validate IP rules.
 - Update the locked domain when allowed, ensuring connection reuse with valid certificate context.
 - Terminate the connection if no suitable domain config is found or IP restrictions are violated.
 ## 2025-03-11 - 3.30.6 - fix(PortProxy)
 Improve TLS renegotiation handling in PortProxy by validating the new SNI against allowed domain configurations. If the new SNI is permitted based on existing IP rules, update the locked domain to allow connection reuse; otherwise, terminate the connection to prevent misrouting.
 - Added logic to check if a new SNI during renegotiation is allowed by comparing IP rules from the matching domain configuration.
 - Updated detailed logging to indicate when a valid SNI change is accepted and when it results in a mismatch termination.
 ## 2025-03-10 - 3.30.5 - fix(internal)
 No uncommitted changes detected; project files and tests remain unchanged.
 ## 2025-03-10 - 3.30.4 - fix(PortProxy)
 Fix TLS renegotiation handling and adjust TLS keep-alive timeouts in PortProxy implementation
 - Allow TLS renegotiation data without an explicit SNI extraction to pass through, ensuring valid renegotiations are not dropped (critical for Chrome).
 - Update TLS keep-alive timeout from an aggressive 30 minutes to a more generous 4 hours to reduce unnecessary reconnections.
 - Increase inactivity thresholds for TLS connections from 20 minutes to 2 hours with an additional verification interval extended from 5 to 15 minutes.
 - Adjust long-lived TLS connection timeout from 45 minutes to 8 hours for improved certificate context refresh in chained proxy scenarios.
 ## 2025-03-10 - 3.30.3 - fix(classes.portproxy.ts)
 Simplify timeout management in PortProxy and fix chained proxy certificate refresh issues
 - Reduced TLS keep-alive timeout from 8 hours to 30 minutes to ensure frequent certificate refresh
 - Added aggressive TLS state refresh after 20 minutes of inactivity and secondary verification checks
 - Lowered long-lived TLS connection lifetime from 12 hours to 45 minutes to prevent stale certificates
 - Removed configurable timeout settings from the public API in favor of hardcoded sensible defaults
 - Simplified internal timeout management to reduce code complexity and improve certificate handling in chained proxies
 ## 2025-03-10 - 3.31.0 - fix(classes.portproxy.ts)
 Simplified timeout management and fixed certificate issues in chained proxy scenarios
 - Dramatically reduced TLS keep-alive timeout from 8 hours to 30 minutes to ensure fresh certificates
 - Added aggressive certificate refresh after 20 minutes of inactivity (down from 4 hours)
 - Added secondary verification checks for TLS refresh operations
 - Reduced long-lived TLS connection lifetime from 12 hours to 45 minutes
 - Removed configurable timeouts completely from the public API in favor of hardcoded sensible defaults
 - Simplified interface by removing no-longer-configurable settings while maintaining internal compatibility
 - Reduced overall code complexity by eliminating complex timeout management
 - Fixed chained proxy certificate issues by ensuring more frequent certificate refreshes in all deployment scenarios
 ## 2025-03-10 - 3.30.2 - fix(classes.portproxy.ts)
 Adjust TLS keep-alive timeout to refresh certificate context.
 - Modified TLS keep-alive timeout for connections to 8 hours to refresh certificate context.
 - Updated timeout log messages for clarity on TLS certificate refresh.
 ## 2025-03-10 - 3.30.1 - fix(PortProxy)
 Improve TLS keep-alive management and fix whitespace formatting
 - Implemented better handling for TLS keep-alive connections after sleep or long inactivity.
 - Reformatted whitespace for better readability and consistency.
 ## 2025-03-08 - 3.30.0 - feat(PortProxy)
 Add advanced TLS keep-alive handling and system sleep detection
 - Implemented system sleep detection to maintain keep-alive connections.
 - Enhanced TLS keep-alive connections with extended timeout and sleep detection mechanisms.
 - Introduced automatic TLS state refresh after system wake-up to prevent connection drops.
 ## 2025-03-07 - 3.29.3 - fix(core)
 Fix functional errors in the proxy setup and enhance pnpm configuration
 - Corrected pnpm configuration to include specific dependencies as 'onlyBuiltDependencies'.
 ## 2025-03-07 - 3.29.2 - fix(PortProxy)
 Fix test for PortProxy handling of custom IPs in Docker/CI environments.
 - Ensure compatibility with Docker/CI environments by standardizing on 127.0.0.1 for test server setup.
 - Simplify test configuration by using a unique port rather than different IPs.
 ## 2025-03-07 - 3.29.1 - fix(readme)
 Update readme for IPTablesProxy options
--- a/package.json
+++ b/package.json
@ -1,8 +1,8 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "3.29.1",
+  "version": "3.37.0",
  "private": false,
-  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
+  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
  "main": "dist_ts/index.js",
  "typings": "dist_ts/index.d.ts",
  "type": "module",
@ -18,8 +18,8 @@
    "@git.zone/tsbuild": "^2.2.6",
    "@git.zone/tsrun": "^1.2.44",
    "@git.zone/tstest": "^1.0.77",
-    "@push.rocks/tapbundle": "^5.5.6",
+    "@push.rocks/tapbundle": "^5.5.10",
-    "@types/node": "^22.13.9",
+    "@types/node": "^22.13.10",
    "typescript": "^5.8.2"
  },
  "dependencies": {
@ -28,7 +28,7 @@
    "@push.rocks/smartpromise": "^4.2.3",
    "@push.rocks/smartrequest": "^2.0.23",
    "@push.rocks/smartstring": "^4.0.15",
-    "@tsclass/tsclass": "^4.4.3",
+    "@tsclass/tsclass": "^5.0.0",
    "@types/minimatch": "^5.1.2",
    "@types/ws": "^8.18.0",
    "acme-client": "^5.4.0",
@ -77,6 +77,11 @@
    "url": "https://code.foss.global/push.rocks/smartproxy/issues"
  },
  "pnpm": {
-    "overrides": {}
+    "overrides": {},
    "onlyBuiltDependencies": [
      "esbuild",
      "mongodb-memory-server",
      "puppeteer"
    ]
  }
 }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/test/test.portproxy.ts
+++ b/test/test.portproxy.ts
@ -113,20 +113,21 @@ tap.test('should forward TCP connections to custom host', async () => {
 });
 // Test custom IP forwarding
-// SIMPLIFIED: This version avoids port ranges and domain configs to prevent loops
+// Modified to work in Docker/CI environments without needing 127.0.0.2
 tap.test('should forward connections to custom IP', async () => {
  // Set up ports that are FAR apart to avoid any possible confusion
  const forcedProxyPort = PROXY_PORT + 2;      // 4003 - The port that our proxy listens on
-  const targetServerPort = TEST_SERVER_PORT + 200;  // 4200 - Target test server on another IP
+  const targetServerPort = TEST_SERVER_PORT + 200;  // 4200 - Target test server on different port
-  // Create a test server listening on 127.0.0.2:4200
+  // Create a test server listening on a unique port on 127.0.0.1 (works in all environments)
-  const testServer2 = await createTestServer(targetServerPort, '127.0.0.2');
+  const testServer2 = await createTestServer(targetServerPort, '127.0.0.1');
-  // Simplify the test drastically - use ONE proxy with very explicit configuration
+  // We're simulating routing to a different IP by using a different port
  // This tests the core functionality without requiring multiple IPs
  const domainProxy = new PortProxy({
    fromPort: forcedProxyPort,  // 4003 - Listen on this port
-    toPort: targetServerPort,   // 4200 - Default forwarding port - MUST BE DIFFERENT from fromPort
+    toPort: targetServerPort,   // 4200 - Forward to this port
-    targetIP: '127.0.0.2',      // Forward to IP where test server is
+    targetIP: '127.0.0.1',      // Always use localhost (works in Docker)
    domainConfigs: [],          // No domain configs to confuse things
    sniEnabled: false,
    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'], // Allow localhost
--- a/test/test.router.ts
+++ b/test/test.router.ts
@ -197,6 +197,52 @@ tap.test('should match wildcard subdomains', async () => {
  expect(result).toEqual(wildcardConfig);
 });
 // Test TLD wildcards (example.*)
 tap.test('should match TLD wildcards', async () => {
  const tldWildcardConfig = createProxyConfig('example.*');
  router.setNewProxyConfigs([tldWildcardConfig]);
  // Test that example.com matches example.*
  const req1 = createMockRequest('example.com');
  const result1 = router.routeReq(req1);
  expect(result1).toBeTruthy();
  expect(result1).toEqual(tldWildcardConfig);
  // Test that example.org matches example.*
  const req2 = createMockRequest('example.org');
  const result2 = router.routeReq(req2);
  expect(result2).toBeTruthy();
  expect(result2).toEqual(tldWildcardConfig);
  // Test that subdomain.example.com doesn't match example.*
  const req3 = createMockRequest('subdomain.example.com');
  const result3 = router.routeReq(req3);
  expect(result3).toBeUndefined();
 });
 // Test complex pattern matching (*.lossless*)
 tap.test('should match complex wildcard patterns', async () => {
  const complexWildcardConfig = createProxyConfig('*.lossless*');
  router.setNewProxyConfigs([complexWildcardConfig]);
  // Test that sub.lossless.com matches *.lossless*
  const req1 = createMockRequest('sub.lossless.com');
  const result1 = router.routeReq(req1);
  expect(result1).toBeTruthy();
  expect(result1).toEqual(complexWildcardConfig);
  // Test that api.lossless.org matches *.lossless*
  const req2 = createMockRequest('api.lossless.org');
  const result2 = router.routeReq(req2);
  expect(result2).toBeTruthy();
  expect(result2).toEqual(complexWildcardConfig);
  // Test that losslessapi.com matches *.lossless*
  const req3 = createMockRequest('losslessapi.com');
  const result3 = router.routeReq(req3);
  expect(result3).toBeUndefined(); // Should not match as it doesn't have a subdomain
 });
 // Test default configuration fallback
 tap.test('should fall back to default configuration', async () => {
  const defaultConfig = createProxyConfig('*');
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '3.29.1',
+  version: '3.37.0',
-  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
+  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }
--- a/ts/classes.networkproxy.ts
+++ b/ts/classes.networkproxy.ts
@ -1,5 +1,6 @@
 import * as plugins from './plugins.js';
 import { ProxyRouter } from './classes.router.js';
 import { AcmeCertManager, CertManagerEvents } from './classes.port80handler.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';
@ -20,6 +21,18 @@ export interface INetworkProxyOptions {
  // New settings for PortProxy integration
  connectionPoolSize?: number; // Maximum connections to maintain in the pool to each backend
  portProxyIntegration?: boolean; // Flag to indicate this proxy is used by PortProxy
  // ACME certificate management options
  acme?: {
    enabled?: boolean;              // Whether to enable automatic certificate management
    port?: number;                  // Port to listen on for ACME challenges (default: 80)
    contactEmail?: string;          // Email for Let's Encrypt account 
    useProduction?: boolean;        // Whether to use Let's Encrypt production (default: false for staging)
    renewThresholdDays?: number;    // Days before expiry to renew certificates (default: 30)
    autoRenew?: boolean;            // Whether to automatically renew certificates (default: true)
    certificateStore?: string;      // Directory to store certificates (default: ./certs)
    skipConfiguredCerts?: boolean;  // Skip domains that already have certificates configured
  };
 }
 interface IWebSocketWithHeartbeat extends plugins.wsDefault {
@ -59,6 +72,10 @@ export class NetworkProxy {
  private defaultCertificates: { key: string; cert: string };
  private certificateCache: Map<string, { key: string; cert: string; expires?: Date }> = new Map();
  // ACME certificate manager
  private certManager: AcmeCertManager | null = null;
  private certificateStoreDir: string;
  // New connection pool for backend connections
  private connectionPool: Map<string, Array<{
    socket: plugins.net.Socket;
@ -66,6 +83,9 @@ export class NetworkProxy {
    isIdle: boolean;
  }>> = new Map();
  // Track round-robin positions for load balancing
  private roundRobinPositions: Map<string, number> = new Map();
  /**
   * Creates a new NetworkProxy instance
   */
@ -85,9 +105,33 @@ export class NetworkProxy {
      },
      // New defaults for PortProxy integration
      connectionPoolSize: optionsArg.connectionPoolSize || 50,
-      portProxyIntegration: optionsArg.portProxyIntegration || false
+      portProxyIntegration: optionsArg.portProxyIntegration || false,
      // Default ACME options
      acme: {
        enabled: optionsArg.acme?.enabled || false,
        port: optionsArg.acme?.port || 80,
        contactEmail: optionsArg.acme?.contactEmail || 'admin@example.com',
        useProduction: optionsArg.acme?.useProduction || false, // Default to staging for safety
        renewThresholdDays: optionsArg.acme?.renewThresholdDays || 30,
        autoRenew: optionsArg.acme?.autoRenew !== false, // Default to true
        certificateStore: optionsArg.acme?.certificateStore || './certs',
        skipConfiguredCerts: optionsArg.acme?.skipConfiguredCerts || false
      }
    };
    // Set up certificate store directory
    this.certificateStoreDir = path.resolve(this.options.acme.certificateStore);
    // Ensure certificate store directory exists
    try {
      if (!fs.existsSync(this.certificateStoreDir)) {
        fs.mkdirSync(this.certificateStoreDir, { recursive: true });
        this.log('info', `Created certificate store directory: ${this.certificateStoreDir}`);
      }
    } catch (error) {
      this.log('warn', `Failed to create certificate store directory: ${error}`);
    }
    this.loadDefaultCertificates();
  }
@ -330,17 +374,230 @@ export class NetworkProxy {
    }
  }
  /**
   * Initializes the ACME certificate manager for automatic certificate issuance
   * @private
   */
  private async initializeAcmeManager(): Promise<void> {
    if (!this.options.acme.enabled) {
      return;
    }
    // Create certificate manager
    this.certManager = new AcmeCertManager({
      port: this.options.acme.port,
      contactEmail: this.options.acme.contactEmail,
      useProduction: this.options.acme.useProduction,
      renewThresholdDays: this.options.acme.renewThresholdDays,
      httpsRedirectPort: this.options.port, // Redirect to our HTTPS port
      renewCheckIntervalHours: 24 // Check daily for renewals
    });
    // Register event handlers
    this.certManager.on(CertManagerEvents.CERTIFICATE_ISSUED, this.handleCertificateIssued.bind(this));
    this.certManager.on(CertManagerEvents.CERTIFICATE_RENEWED, this.handleCertificateIssued.bind(this));
    this.certManager.on(CertManagerEvents.CERTIFICATE_FAILED, this.handleCertificateFailed.bind(this));
    this.certManager.on(CertManagerEvents.CERTIFICATE_EXPIRING, (data) => {
      this.log('info', `Certificate for ${data.domain} expires in ${data.daysRemaining} days`);
    });
    // Start the manager
    try {
      await this.certManager.start();
      this.log('info', `ACME Certificate Manager started on port ${this.options.acme.port}`);
      // Add domains from proxy configs
      this.registerDomainsWithAcmeManager();
    } catch (error) {
      this.log('error', `Failed to start ACME Certificate Manager: ${error}`);
      this.certManager = null;
    }
  }
  /**
   * Registers domains from proxy configs with the ACME manager
   * @private
   */
  private registerDomainsWithAcmeManager(): void {
    if (!this.certManager) return;
    // Get all hostnames from proxy configs
    this.proxyConfigs.forEach(config => {
      const hostname = config.hostName;
      // Skip wildcard domains - can't get certs for these with HTTP-01 validation
      if (hostname.includes('*')) {
        this.log('info', `Skipping wildcard domain for ACME: ${hostname}`);
        return;
      }
      // Skip domains already with certificates if configured to do so
      if (this.options.acme.skipConfiguredCerts) {
        const cachedCert = this.certificateCache.get(hostname);
        if (cachedCert) {
          this.log('info', `Skipping domain with existing certificate: ${hostname}`);
          return;
        }
      }
      // Check for existing certificate in the store
      const certPath = path.join(this.certificateStoreDir, `${hostname}.cert.pem`);
      const keyPath = path.join(this.certificateStoreDir, `${hostname}.key.pem`);
      try {
        if (fs.existsSync(certPath) && fs.existsSync(keyPath)) {
          // Load existing certificate and key
          const cert = fs.readFileSync(certPath, 'utf8');
          const key = fs.readFileSync(keyPath, 'utf8');
          // Extract expiry date from certificate if possible
          let expiryDate: Date | undefined;
          try {
            const matches = cert.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
            if (matches && matches[1]) {
              expiryDate = new Date(matches[1]);
            }
          } catch (error) {
            this.log('warn', `Failed to extract expiry date from certificate for ${hostname}`);
          }
          // Update the certificate in the manager
          this.certManager.setCertificate(hostname, cert, key, expiryDate);
          // Also update our own certificate cache
          this.updateCertificateCache(hostname, cert, key, expiryDate);
          this.log('info', `Loaded existing certificate for ${hostname}`);
        } else {
          // Register the domain for certificate issuance
          this.certManager.addDomain(hostname);
          this.log('info', `Registered domain for ACME certificate issuance: ${hostname}`);
        }
      } catch (error) {
        this.log('error', `Error registering domain ${hostname} with ACME manager: ${error}`);
      }
    });
  }
  /**
   * Handles newly issued or renewed certificates from ACME manager
   * @private
   */
  private handleCertificateIssued(data: { domain: string; certificate: string; privateKey: string; expiryDate: Date }): void {
    const { domain, certificate, privateKey, expiryDate } = data;
    this.log('info', `Certificate ${this.certificateCache.has(domain) ? 'renewed' : 'issued'} for ${domain}, valid until ${expiryDate.toISOString()}`);
    // Update certificate in HTTPS server
    this.updateCertificateCache(domain, certificate, privateKey, expiryDate);
    // Save the certificate to the filesystem
    this.saveCertificateToStore(domain, certificate, privateKey);
  }
  /**
   * Handles certificate issuance failures
   * @private
   */
  private handleCertificateFailed(data: { domain: string; error: string }): void {
    this.log('error', `Certificate issuance failed for ${data.domain}: ${data.error}`);
  }
  /**
   * Saves certificate and private key to the filesystem
   * @private
   */
  private saveCertificateToStore(domain: string, certificate: string, privateKey: string): void {
    try {
      const certPath = path.join(this.certificateStoreDir, `${domain}.cert.pem`);
      const keyPath = path.join(this.certificateStoreDir, `${domain}.key.pem`);
      fs.writeFileSync(certPath, certificate);
      fs.writeFileSync(keyPath, privateKey);
      // Ensure private key has restricted permissions
      try {
        fs.chmodSync(keyPath, 0o600);
      } catch (error) {
        this.log('warn', `Failed to set permissions on private key for ${domain}: ${error}`);
      }
      this.log('info', `Saved certificate for ${domain} to ${certPath}`);
    } catch (error) {
      this.log('error', `Failed to save certificate for ${domain}: ${error}`);
    }
  }
  /**
   * Handles SNI (Server Name Indication) for TLS connections
   * Used by the HTTPS server to select the correct certificate for each domain
   * @private
   */
  private handleSNI(domain: string, cb: (err: Error | null, ctx: plugins.tls.SecureContext) => void): void {
    this.log('debug', `SNI request for domain: ${domain}`);
    // Check if we have a certificate for this domain
    const certs = this.certificateCache.get(domain);
    if (certs) {
      try {
        // Create TLS context with the cached certificate
        const context = plugins.tls.createSecureContext({
          key: certs.key,
          cert: certs.cert
        });
        this.log('debug', `Using cached certificate for ${domain}`);
        cb(null, context);
        return;
      } catch (err) {
        this.log('error', `Error creating secure context for ${domain}:`, err);
      }
    }
    // Check if we should trigger certificate issuance
    if (this.options.acme?.enabled && this.certManager && !domain.includes('*')) {
      // Check if this domain is already registered
      const certData = this.certManager.getCertificate(domain);
      if (!certData) {
        this.log('info', `No certificate found for ${domain}, registering for issuance`);
        this.certManager.addDomain(domain);
      }
    }
    // Fall back to default certificate
    try {
      const context = plugins.tls.createSecureContext({
        key: this.defaultCertificates.key,
        cert: this.defaultCertificates.cert
      });
      this.log('debug', `Using default certificate for ${domain}`);
      cb(null, context);
    } catch (err) {
      this.log('error', `Error creating default secure context:`, err);
      cb(new Error('Cannot create secure context'), null);
    }
  }
  /**
   * Starts the proxy server
   */
  public async start(): Promise<void> {
    this.startTime = Date.now();
    // Initialize ACME certificate manager if enabled
    if (this.options.acme.enabled) {
      await this.initializeAcmeManager();
    }
    // Create the HTTPS server
    this.httpsServer = plugins.https.createServer(
      {
        key: this.defaultCertificates.key,
-        cert: this.defaultCertificates.cert
+        cert: this.defaultCertificates.cert,
        SNICallback: (domain, cb) => this.handleSNI(domain, cb)
      },
      (req, res) => this.handleRequest(req, res)
    );
@ -556,7 +813,10 @@ export class NetworkProxy {
    const outGoingDeferred = plugins.smartpromise.defer();
    try {
-      const wsTarget = `ws://${wsDestinationConfig.destinationIp}:${wsDestinationConfig.destinationPort}${reqArg.url}`;
+      // Select destination IP and port for WebSocket
      const wsDestinationIp = this.selectDestinationIp(wsDestinationConfig);
      const wsDestinationPort = this.selectDestinationPort(wsDestinationConfig);
      const wsTarget = `ws://${wsDestinationIp}:${wsDestinationPort}${reqArg.url}`;
      this.log('debug', `Proxying WebSocket to ${wsTarget}`);
      wsOutgoing = new plugins.wsDefault(wsTarget);
@ -688,8 +948,12 @@ export class NetworkProxy {
      const useConnectionPool = this.options.portProxyIntegration && 
                                originRequest.socket.remoteAddress?.includes('127.0.0.1');
      // Select destination IP and port from the arrays
      const destinationIp = this.selectDestinationIp(destinationConfig);
      const destinationPort = this.selectDestinationPort(destinationConfig);
      // Construct destination URL
-      const destinationUrl = `http://${destinationConfig.destinationIp}:${destinationConfig.destinationPort}${originRequest.url}`;
+      const destinationUrl = `http://${destinationIp}:${destinationPort}${originRequest.url}`;
      if (useConnectionPool) {
        this.log('debug', `[${reqId}] Proxying to ${destinationUrl} (using connection pool)`);
@ -697,8 +961,8 @@ export class NetworkProxy {
          reqId, 
          originRequest, 
          originResponse, 
-          destinationConfig.destinationIp, 
+          destinationIp, 
-          destinationConfig.destinationPort,
+          destinationPort,
          originRequest.url
        );
      } else {
@ -1084,6 +1348,80 @@ export class NetworkProxy {
    }
  }
  /**
   * Selects a destination IP from the array using round-robin
   * @param config The proxy configuration
   * @returns A destination IP address
   */
  private selectDestinationIp(config: plugins.tsclass.network.IReverseProxyConfig): string {
    // For array-based configs
    if (Array.isArray(config.destinationIps) && config.destinationIps.length > 0) {
      // Get the current position or initialize it
      const key = `ip_${config.hostName}`;
      let position = this.roundRobinPositions.get(key) || 0;
      // Select the IP using round-robin
      const selectedIp = config.destinationIps[position];
      // Update the position for next time
      position = (position + 1) % config.destinationIps.length;
      this.roundRobinPositions.set(key, position);
      return selectedIp;
    }
    // For backward compatibility with test suites that rely on specific behavior
    // Check if there's a proxyConfigs entry that matches this hostname
    const matchingConfig = this.proxyConfigs.find(cfg => 
      cfg.hostName === config.hostName && 
      (cfg as any).destinationIp
    );
    if (matchingConfig) {
      return (matchingConfig as any).destinationIp;
    }
    // Fallback to localhost
    return 'localhost';
  }
  /**
   * Selects a destination port from the array using round-robin
   * @param config The proxy configuration
   * @returns A destination port number
   */
  private selectDestinationPort(config: plugins.tsclass.network.IReverseProxyConfig): number {
    // For array-based configs
    if (Array.isArray(config.destinationPorts) && config.destinationPorts.length > 0) {
      // Get the current position or initialize it
      const key = `port_${config.hostName}`;
      let position = this.roundRobinPositions.get(key) || 0;
      // Select the port using round-robin
      const selectedPort = config.destinationPorts[position];
      // Update the position for next time
      position = (position + 1) % config.destinationPorts.length;
      this.roundRobinPositions.set(key, position);
      return selectedPort;
    }
    // For backward compatibility with test suites that rely on specific behavior
    // Check if there's a proxyConfigs entry that matches this hostname
    const matchingConfig = this.proxyConfigs.find(cfg => 
      cfg.hostName === config.hostName && 
      (cfg as any).destinationPort
    );
    if (matchingConfig) {
      return parseInt((matchingConfig as any).destinationPort, 10);
    }
    // Fallback to port 80
    return 80;
  }
  /**
   * Updates proxy configurations
   */
@ -1144,6 +1482,48 @@ export class NetworkProxy {
    }
  }
  /**
   * Converts PortProxy domain configurations to NetworkProxy configs
   * @param domainConfigs PortProxy domain configs
   * @param sslKeyPair Default SSL key pair to use if not specified
   * @returns Array of NetworkProxy configs
   */
  public convertPortProxyConfigs(
    domainConfigs: Array<{
      domains: string[];
      targetIPs?: string[];
      allowedIPs?: string[];
    }>,
    sslKeyPair?: { key: string; cert: string }
  ): plugins.tsclass.network.IReverseProxyConfig[] {
    const proxyConfigs: plugins.tsclass.network.IReverseProxyConfig[] = [];
    // Use default certificates if not provided
    const sslKey = sslKeyPair?.key || this.defaultCertificates.key;
    const sslCert = sslKeyPair?.cert || this.defaultCertificates.cert;
    for (const domainConfig of domainConfigs) {
      // Each domain in the domains array gets its own config
      for (const domain of domainConfig.domains) {
        // Skip non-hostname patterns (like IP addresses)
        if (domain.match(/^\d+\.\d+\.\d+\.\d+$/) || domain === '*' || domain === 'localhost') {
          continue;
        }
        proxyConfigs.push({
          hostName: domain,
          destinationIps: domainConfig.targetIPs || ['localhost'],
          destinationPorts: [this.options.port], // Use the NetworkProxy port
          privateKey: sslKey,
          publicKey: sslCert
        });
      }
    }
    this.log('info', `Converted ${domainConfigs.length} PortProxy configs to ${proxyConfigs.length} NetworkProxy configs`);
    return proxyConfigs;
  }
  /**
   * Adds default headers to be included in all responses
   */
@ -1208,6 +1588,16 @@ export class NetworkProxy {
    }
    this.connectionPool.clear();
    // Stop ACME certificate manager if it's running
    if (this.certManager) {
      try {
        await this.certManager.stop();
        this.log('info', 'ACME Certificate Manager stopped');
      } catch (error) {
        this.log('error', 'Error stopping ACME Certificate Manager', error);
      }
    }
    // Close the HTTPS server
    return new Promise((resolve) => {
      this.httpsServer.close(() => {
@ -1217,6 +1607,71 @@ export class NetworkProxy {
    });
  }
  /**
   * Requests a new certificate for a domain
   * This can be used to manually trigger certificate issuance
   * @param domain The domain to request a certificate for
   * @returns A promise that resolves when the request is submitted (not when the certificate is issued)
   */
  public async requestCertificate(domain: string): Promise<boolean> {
    if (!this.options.acme.enabled) {
      this.log('warn', 'ACME certificate management is not enabled');
      return false;
    }
    if (!this.certManager) {
      this.log('error', 'ACME certificate manager is not initialized');
      return false;
    }
    // Skip wildcard domains - can't get certs for these with HTTP-01 validation
    if (domain.includes('*')) {
      this.log('error', `Cannot request certificate for wildcard domain: ${domain}`);
      return false;
    }
    try {
      this.certManager.addDomain(domain);
      this.log('info', `Certificate request submitted for domain: ${domain}`);
      return true;
    } catch (error) {
      this.log('error', `Error requesting certificate for domain ${domain}:`, error);
      return false;
    }
  }
  /**
   * Updates the certificate cache for a domain
   * @param domain The domain name
   * @param certificate The certificate (PEM format)
   * @param privateKey The private key (PEM format)
   * @param expiryDate Optional expiry date
   */
  private updateCertificateCache(domain: string, certificate: string, privateKey: string, expiryDate?: Date): void {
    // Update certificate context in HTTPS server if it's running
    if (this.httpsServer) {
      try {
        this.httpsServer.addContext(domain, {
          key: privateKey,
          cert: certificate
        });
        this.log('debug', `Updated SSL context for domain: ${domain}`);
      } catch (error) {
        this.log('error', `Error updating SSL context for domain ${domain}:`, error);
      }
    }
    // Update certificate in cache
    this.certificateCache.set(domain, {
      key: privateKey,
      cert: certificate,
      expires: expiryDate
    });
    // Add to active contexts set
    this.activeContexts.add(domain);
  }
  /**
   * Logs a message according to the configured log level
   */
--- a/ts/classes.portproxy.ts
+++ b/ts/classes.portproxy.ts
@ -10,10 +10,6 @@ export interface IDomainConfig {
  portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
  // Allow domain-specific timeout override
  connectionTimeout?: number; // Connection timeout override (ms)
  // New properties for NetworkProxy integration
  useNetworkProxy?: boolean; // When true, forwards TLS connections to NetworkProxy
  networkProxyIndex?: number; // Optional index to specify which NetworkProxy to use (defaults to 0)
 }
 /** Port proxy settings including global allowed port ranges */
@ -60,8 +56,21 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
  keepAliveInactivityMultiplier?: number; // Multiplier for inactivity timeout for keep-alive connections
  extendedKeepAliveLifetime?: number; // Extended lifetime for keep-alive connections (ms)
-  // New property for NetworkProxy integration
+  // NetworkProxy integration
-  networkProxies?: NetworkProxy[]; // Array of NetworkProxy instances to use for TLS termination
+  useNetworkProxy?: number[]; // Array of ports to forward to NetworkProxy
  networkProxyPort?: number; // Port where NetworkProxy is listening (default: 8443)
  // ACME certificate management options
  acme?: {
    enabled?: boolean;              // Whether to enable automatic certificate management
    port?: number;                  // Port to listen on for ACME challenges (default: 80)
    contactEmail?: string;          // Email for Let's Encrypt account 
    useProduction?: boolean;        // Whether to use Let's Encrypt production (default: false for staging)
    renewThresholdDays?: number;    // Days before expiry to renew certificates (default: 30)
    autoRenew?: boolean;            // Whether to automatically renew certificates (default: true)
    certificateStore?: string;      // Directory to store certificates (default: ./certs)
    skipConfiguredCerts?: boolean;  // Skip domains that already have certificates configured
  };
 }
 /**
@ -97,9 +106,15 @@ interface IConnectionRecord {
  incomingTerminationReason?: string | null; // Reason for incoming termination
  outgoingTerminationReason?: string | null; // Reason for outgoing termination
-  // New field for NetworkProxy tracking
+  // NetworkProxy tracking
  usingNetworkProxy?: boolean; // Whether this connection is using a NetworkProxy
-  networkProxyIndex?: number; // Which NetworkProxy instance is being used
+
  // Renegotiation handler
  renegotiationHandler?: (chunk: Buffer) => void; // Handler for renegotiation detection
  // Browser connection tracking
  isBrowserConnection?: boolean; // Whether this connection appears to be from a browser
  domainSwitches?: number; // Number of times the domain has been switched on this connection
 }
 /**
@ -266,6 +281,29 @@ function extractSNI(buffer: Buffer, enableLogging: boolean = false): string | un
  }
 }
 /**
 * Checks if a TLS record is a proper ClientHello message (more accurate than just checking record type)
 * @param buffer - Buffer containing the TLS record
 * @returns true if the buffer contains a proper ClientHello message
 */
 function isClientHello(buffer: Buffer): boolean {
  try {
    if (buffer.length < 9) return false; // Too small for a proper ClientHello
    // Check record type (has to be handshake - 22)
    if (buffer.readUInt8(0) !== 22) return false;
    // After the TLS record header (5 bytes), check the handshake type (1 for ClientHello)
    if (buffer.readUInt8(5) !== 1) return false;
    // Basic checks passed, this appears to be a ClientHello
    return true;
  } catch (err) {
    console.log(`Error checking for ClientHello: ${err}`);
    return false;
  }
 }
 // Helper: Check if a port falls within any of the given port ranges
 const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
  return ranges.some((range) => port >= range.from && port <= range.to);
@ -349,8 +387,8 @@ export class PortProxy {
  private connectionsByIP: Map<string, Set<string>> = new Map();
  private connectionRateByIP: Map<string, number[]> = new Map();
-  // New property to store NetworkProxy instances
+  // NetworkProxy instance for TLS termination
-  private networkProxies: NetworkProxy[] = [];
+  private networkProxy: NetworkProxy | null = null;
  constructor(settingsArg: IPortProxySettings) {
    // Set reasonable defaults for all settings
@ -370,29 +408,228 @@ export class PortProxy {
      // Socket optimization settings
      noDelay: settingsArg.noDelay !== undefined ? settingsArg.noDelay : true,
      keepAlive: settingsArg.keepAlive !== undefined ? settingsArg.keepAlive : true,
-      keepAliveInitialDelay: settingsArg.keepAliveInitialDelay || 10000, // 10 seconds (reduced for responsiveness)
+      keepAliveInitialDelay: settingsArg.keepAliveInitialDelay || 10000, // 10 seconds
-      maxPendingDataSize: settingsArg.maxPendingDataSize || 10 * 1024 * 1024, // 10MB to handle large TLS handshakes
+      maxPendingDataSize: settingsArg.maxPendingDataSize || 10 * 1024 * 1024, // 10MB
      // Feature flags
      disableInactivityCheck: settingsArg.disableInactivityCheck || false,
      enableKeepAliveProbes: settingsArg.enableKeepAliveProbes !== undefined 
-        ? settingsArg.enableKeepAliveProbes : true, // Enable by default
+                            ? settingsArg.enableKeepAliveProbes : true,
      enableDetailedLogging: settingsArg.enableDetailedLogging || false,
      enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
-      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false, // Disable randomization by default
+      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
      // Rate limiting defaults
-      maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100, // 100 connections per IP
+      maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
-      connectionRateLimitPerMinute: settingsArg.connectionRateLimitPerMinute || 300, // 300 per minute
+      connectionRateLimitPerMinute: settingsArg.connectionRateLimitPerMinute || 300,
      // Enhanced keep-alive settings
-      keepAliveTreatment: settingsArg.keepAliveTreatment || 'extended', // Extended by default
+      keepAliveTreatment: settingsArg.keepAliveTreatment || 'extended',
-      keepAliveInactivityMultiplier: settingsArg.keepAliveInactivityMultiplier || 6, // 6x normal inactivity timeout
+      keepAliveInactivityMultiplier: settingsArg.keepAliveInactivityMultiplier || 6,
      extendedKeepAliveLifetime: settingsArg.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000, // 7 days
      // NetworkProxy settings
      networkProxyPort: settingsArg.networkProxyPort || 8443, // Default NetworkProxy port
      // ACME certificate settings with reasonable defaults
      acme: settingsArg.acme || {
        enabled: false,
        port: 80,
        contactEmail: 'admin@example.com',
        useProduction: false,
        renewThresholdDays: 30,
        autoRenew: true,
        certificateStore: './certs',
        skipConfiguredCerts: false
      }
    };
-    // Store NetworkProxy instances if provided
+    // Initialize NetworkProxy if enabled
-    this.networkProxies = settingsArg.networkProxies || [];
+    if (this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0) {
      this.initializeNetworkProxy();
    }
  }
  /**
   * Initialize NetworkProxy instance
   */
  private async initializeNetworkProxy(): Promise<void> {
    if (!this.networkProxy) {
      // Configure NetworkProxy options based on PortProxy settings
      const networkProxyOptions: any = {
        port: this.settings.networkProxyPort!,
        portProxyIntegration: true,
        logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info'
      };
      // Add ACME settings if configured
      if (this.settings.acme) {
        networkProxyOptions.acme = { ...this.settings.acme };
      }
      this.networkProxy = new NetworkProxy(networkProxyOptions);
      console.log(`Initialized NetworkProxy on port ${this.settings.networkProxyPort}`);
      // Convert and apply domain configurations to NetworkProxy
      await this.syncDomainConfigsToNetworkProxy();
    }
  }
  /**
   * Updates the domain configurations for the proxy
   * @param newDomainConfigs The new domain configurations
   */
  public async updateDomainConfigs(newDomainConfigs: IDomainConfig[]): Promise<void> {
    console.log(`Updating domain configurations (${newDomainConfigs.length} configs)`);
    this.settings.domainConfigs = newDomainConfigs;
    // If NetworkProxy is initialized, resync the configurations
    if (this.networkProxy) {
      await this.syncDomainConfigsToNetworkProxy();
    }
  }
  /**
   * Updates the ACME certificate settings
   * @param acmeSettings New ACME settings
   */
  public async updateAcmeSettings(acmeSettings: IPortProxySettings['acme']): Promise<void> {
    console.log('Updating ACME certificate settings');
    // Update settings
    this.settings.acme = {
      ...this.settings.acme,
      ...acmeSettings
    };
    // If NetworkProxy is initialized, update its ACME settings
    if (this.networkProxy) {
      try {
        // Recreate NetworkProxy with new settings if ACME enabled state has changed
        if (this.settings.acme.enabled !== acmeSettings.enabled) {
          console.log(`ACME enabled state changed to: ${acmeSettings.enabled}`);
          // Stop the current NetworkProxy
          await this.networkProxy.stop();
          this.networkProxy = null;
          // Reinitialize with new settings
          await this.initializeNetworkProxy();
          // Use start() to make sure ACME gets initialized if newly enabled
          await this.networkProxy.start();
        } else {
          // Update existing NetworkProxy with new settings
          // Note: Some settings may require a restart to take effect
          console.log('Updating ACME settings in NetworkProxy');
          // For certificate renewals, we might want to trigger checks with the new settings
          if (acmeSettings.renewThresholdDays) {
            console.log(`Setting new renewal threshold to ${acmeSettings.renewThresholdDays} days`);
            // This is implementation-dependent but gives an example
            if (this.networkProxy.options.acme) {
              this.networkProxy.options.acme.renewThresholdDays = acmeSettings.renewThresholdDays;
            }
          }
        }
      } catch (err) {
        console.log(`Error updating ACME settings: ${err}`);
      }
    }
  }
  /**
   * Synchronizes PortProxy domain configurations to NetworkProxy
   * This allows domains configured in PortProxy to be used by NetworkProxy
   */
  private async syncDomainConfigsToNetworkProxy(): Promise<void> {
    if (!this.networkProxy) {
      console.log('Cannot sync configurations - NetworkProxy not initialized');
      return;
    }
    try {
      // Get SSL certificates from assets
      // Import fs directly since it's not in plugins
      const fs = await import('fs');
      let certPair;
      try {
        certPair = {
          key: fs.readFileSync('assets/certs/key.pem', 'utf8'),
          cert: fs.readFileSync('assets/certs/cert.pem', 'utf8')
        };
      } catch (certError) {
        console.log(`Warning: Could not read default certificates: ${certError}`);
        console.log('Using empty certificate placeholders - ACME will generate proper certificates if enabled');
        // Use empty placeholders - NetworkProxy will use its internal defaults
        // or ACME will generate proper ones if enabled
        certPair = {
          key: '',
          cert: ''
        };
      }
      // Convert domain configs to NetworkProxy configs
      const proxyConfigs = this.networkProxy.convertPortProxyConfigs(
        this.settings.domainConfigs,
        certPair
      );
      // Log ACME-eligible domains if ACME is enabled
      if (this.settings.acme?.enabled) {
        const acmeEligibleDomains = proxyConfigs
          .filter(config => !config.hostName.includes('*')) // Exclude wildcards
          .map(config => config.hostName);
        if (acmeEligibleDomains.length > 0) {
          console.log(`Domains eligible for ACME certificates: ${acmeEligibleDomains.join(', ')}`);
        } else {
          console.log('No domains eligible for ACME certificates found in configuration');
        }
      }
      // Update NetworkProxy with the converted configs
      this.networkProxy.updateProxyConfigs(proxyConfigs).then(() => {
        console.log(`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`);
      }).catch(err => {
        console.log(`Error synchronizing configurations: ${err.message}`);
      });
    } catch (err) {
      console.log(`Failed to sync configurations: ${err}`);
    }
  }
  /**
   * Requests a certificate for a specific domain
   * @param domain The domain to request a certificate for
   * @returns Promise that resolves to true if the request was successful, false otherwise
   */
  public async requestCertificate(domain: string): Promise<boolean> {
    if (!this.networkProxy) {
      console.log('Cannot request certificate - NetworkProxy not initialized');
      return false;
    }
    if (!this.settings.acme?.enabled) {
      console.log('Cannot request certificate - ACME is not enabled');
      return false;
    }
    try {
      const result = await this.networkProxy.requestCertificate(domain);
      if (result) {
        console.log(`Certificate request for ${domain} submitted successfully`);
      } else {
        console.log(`Certificate request for ${domain} failed`);
      }
      return result;
    } catch (err) {
      console.log(`Error requesting certificate: ${err}`);
      return false;
    }
  }
  /**
@ -400,51 +637,49 @@ export class PortProxy {
   * @param connectionId - Unique connection identifier
   * @param socket - The incoming client socket
   * @param record - The connection record
   * @param domainConfig - The domain configuration
   * @param initialData - Initial data chunk (TLS ClientHello)
   * @param serverName - SNI hostname (if available)
   */
  private forwardToNetworkProxy(
    connectionId: string,
    socket: plugins.net.Socket,
    record: IConnectionRecord,
-    domainConfig: IDomainConfig,
+    initialData: Buffer
    initialData: Buffer,
    serverName?: string
  ): void {
-    // Determine which NetworkProxy to use
+    // Ensure NetworkProxy is initialized
-    const proxyIndex = domainConfig.networkProxyIndex !== undefined 
+    if (!this.networkProxy) {
-      ? domainConfig.networkProxyIndex
+      console.log(
-      : 0;
+        `[${connectionId}] NetworkProxy not initialized. Using fallback direct connection.`
-      
+      );
    // Validate the NetworkProxy index
    if (proxyIndex < 0 || proxyIndex >= this.networkProxies.length) {
      console.log(`[${connectionId}] Invalid NetworkProxy index: ${proxyIndex}. Using fallback direct connection.`);
      // Fall back to direct connection
-      return this.setupDirectConnection(connectionId, socket, record, domainConfig, serverName, initialData);
+      return this.setupDirectConnection(
        connectionId,
        socket,
        record,
        undefined,
        undefined,
        initialData
      );
    }
-    const networkProxy = this.networkProxies[proxyIndex];
+    const proxyPort = this.networkProxy.getListeningPort();
    const proxyPort = networkProxy.getListeningPort();
    const proxyHost = 'localhost'; // Assuming NetworkProxy runs locally
    if (this.settings.enableDetailedLogging) {
      console.log(
-        `[${connectionId}] Forwarding TLS connection to NetworkProxy[${proxyIndex}] at ${proxyHost}:${proxyPort}`
+        `[${connectionId}] Forwarding TLS connection to NetworkProxy at ${proxyHost}:${proxyPort}`
      );
    }
    // Create a connection to the NetworkProxy
    const proxySocket = plugins.net.connect({
      host: proxyHost,
-      port: proxyPort
+      port: proxyPort,
    });
    // Store the outgoing socket in the record
    record.outgoing = proxySocket;
    record.outgoingStartTime = Date.now();
    record.usingNetworkProxy = true;
    record.networkProxyIndex = proxyIndex;
    // Set up error handlers
    proxySocket.on('error', (err) => {
@ -475,7 +710,9 @@ export class PortProxy {
      socket.on('close', () => {
        if (this.settings.enableDetailedLogging) {
-          console.log(`[${connectionId}] Client connection closed after forwarding to NetworkProxy`);
+          console.log(
            `[${connectionId}] Client connection closed after forwarding to NetworkProxy`
          );
        }
        this.cleanupConnection(record, 'client_closed');
      });
@ -486,7 +723,7 @@ export class PortProxy {
      if (this.settings.enableDetailedLogging) {
        console.log(
-          `[${connectionId}] TLS connection successfully forwarded to NetworkProxy[${proxyIndex}]`
+          `[${connectionId}] TLS connection successfully forwarded to NetworkProxy`
        );
      }
    });
@ -585,7 +822,9 @@ export class PortProxy {
        } catch (err) {
          // Ignore errors - these are optional enhancements
          if (this.settings.enableDetailedLogging) {
-            console.log(`[${connectionId}] Enhanced TCP keep-alive not supported for outgoing socket: ${err}`);
+            console.log(
              `[${connectionId}] Enhanced TCP keep-alive not supported for outgoing socket: ${err}`
            );
          }
        }
      }
@ -642,7 +881,9 @@ export class PortProxy {
      // For keep-alive connections, just log a warning instead of closing
      if (record.hasKeepAlive) {
        console.log(
-          `[${connectionId}] Timeout event on incoming keep-alive connection from ${record.remoteIP} after ${plugins.prettyMs(
+          `[${connectionId}] Timeout event on incoming keep-alive connection from ${
            record.remoteIP
          } after ${plugins.prettyMs(
            this.settings.socketTimeout || 3600000
          )}. Connection preserved.`
        );
@ -652,9 +893,9 @@ export class PortProxy {
      // For non-keep-alive connections, proceed with normal cleanup
      console.log(
-        `[${connectionId}] Timeout on incoming side from ${record.remoteIP} after ${plugins.prettyMs(
+        `[${connectionId}] Timeout on incoming side from ${
-          this.settings.socketTimeout || 3600000
+          record.remoteIP
-        )}`
+        } after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}`
      );
      if (record.incomingTerminationReason === null) {
        record.incomingTerminationReason = 'timeout';
@ -667,7 +908,9 @@ export class PortProxy {
      // For keep-alive connections, just log a warning instead of closing
      if (record.hasKeepAlive) {
        console.log(
-          `[${connectionId}] Timeout event on outgoing keep-alive connection from ${record.remoteIP} after ${plugins.prettyMs(
+          `[${connectionId}] Timeout event on outgoing keep-alive connection from ${
            record.remoteIP
          } after ${plugins.prettyMs(
            this.settings.socketTimeout || 3600000
          )}. Connection preserved.`
        );
@ -677,9 +920,9 @@ export class PortProxy {
      // For non-keep-alive connections, proceed with normal cleanup
      console.log(
-        `[${connectionId}] Timeout on outgoing side from ${record.remoteIP} after ${plugins.prettyMs(
+        `[${connectionId}] Timeout on outgoing side from ${
-          this.settings.socketTimeout || 3600000
+          record.remoteIP
-        )}`
+        } after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}`
      );
      if (record.outgoingTerminationReason === null) {
        record.outgoingTerminationReason = 'timeout';
@ -695,7 +938,9 @@ export class PortProxy {
      targetSocket.setTimeout(0);
      if (this.settings.enableDetailedLogging) {
-        console.log(`[${connectionId}] Disabled socket timeouts for immortal keep-alive connection`);
+        console.log(
          `[${connectionId}] Disabled socket timeouts for immortal keep-alive connection`
        );
      }
    } else {
      // Set normal timeouts for other connections
@ -725,9 +970,7 @@ export class PortProxy {
        const combinedData = Buffer.concat(record.pendingData);
        targetSocket.write(combinedData, (err) => {
          if (err) {
-            console.log(
+            console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
              `[${connectionId}] Error writing pending data to target: ${err.message}`
            );
            return this.initiateCleanupOnce(record, 'write_error');
          }
@ -746,7 +989,9 @@ export class PortProxy {
                    ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
                    : ''
                }` +
-                ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${record.hasKeepAlive ? 'Yes' : 'No'}`
+                ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
                  record.hasKeepAlive ? 'Yes' : 'No'
                }`
            );
          } else {
            console.log(
@ -777,7 +1022,9 @@ export class PortProxy {
                  ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
                  : ''
              }` +
-              ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${record.hasKeepAlive ? 'Yes' : 'No'}`
+              ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
                record.hasKeepAlive ? 'Yes' : 'No'
              }`
          );
        } else {
          console.log(
@ -797,30 +1044,45 @@ export class PortProxy {
      record.pendingData = [];
      record.pendingDataSize = 0;
-      // Add the renegotiation listener for SNI validation
+      // Add the renegotiation handler for SNI validation with strict domain enforcement
      if (serverName) {
-        socket.on('data', (renegChunk: Buffer) => {
+        // Define a handler for checking renegotiation with improved detection
-          if (renegChunk.length > 0 && renegChunk.readUInt8(0) === 22) {
+        const renegotiationHandler = (renegChunk: Buffer) => {
          // Only process if this looks like a TLS ClientHello
          if (isClientHello(renegChunk)) {
            try {
-              // Try to extract SNI from potential renegotiation
+              // Extract SNI from ClientHello
              const newSNI = extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
-              if (newSNI && newSNI !== record.lockedDomain) {
+
              // Skip if no SNI was found
              if (!newSNI) return;
              // Handle SNI change during renegotiation - always terminate for domain switches
              if (newSNI !== record.lockedDomain) {
                // Log and terminate the connection for any SNI change
                console.log(
-                  `[${connectionId}] Rehandshake detected with different SNI: ${newSNI} vs locked ${record.lockedDomain}. Terminating connection.`
+                  `[${connectionId}] Renegotiation with different SNI: ${record.lockedDomain} -> ${newSNI}. ` +
                  `Terminating connection - SNI domain switching is not allowed.`
                );
                this.initiateCleanupOnce(record, 'sni_mismatch');
-              } else if (newSNI && this.settings.enableDetailedLogging) {
+              } else if (this.settings.enableDetailedLogging) {
                console.log(
-                  `[${connectionId}] Rehandshake detected with same SNI: ${newSNI}. Allowing.`
+                  `[${connectionId}] Renegotiation detected with same SNI: ${newSNI}. Allowing.`
                );
              }
            } catch (err) {
              console.log(
-                `[${connectionId}] Error processing potential renegotiation: ${err}. Allowing connection to continue.`
+                `[${connectionId}] Error processing ClientHello: ${err}. Allowing connection to continue.`
              );
            }
          }
-        });
+        };
        // Store the handler in the connection record so we can remove it during cleanup
        record.renegotiationHandler = renegotiationHandler;
        // Add the listener
        socket.on('data', renegotiationHandler);
      }
      // Set connection timeout with simpler logic
@ -831,7 +1093,9 @@ export class PortProxy {
      // For immortal keep-alive connections, skip setting a timeout completely
      if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
        if (this.settings.enableDetailedLogging) {
-          console.log(`[${connectionId}] Keep-alive connection with immortal treatment - no max lifetime`);
+          console.log(
            `[${connectionId}] Keep-alive connection with immortal treatment - no max lifetime`
          );
        }
        // No cleanup timer for immortal connections
      }
@ -842,9 +1106,9 @@ export class PortProxy {
        record.cleanupTimer = setTimeout(() => {
          console.log(
-            `[${connectionId}] Keep-alive connection from ${record.remoteIP} exceeded extended lifetime (${plugins.prettyMs(
+            `[${connectionId}] Keep-alive connection from ${
-              extendedTimeout
+              record.remoteIP
-            )}), forcing cleanup.`
+            } exceeded extended lifetime (${plugins.prettyMs(extendedTimeout)}), forcing cleanup.`
          );
          this.initiateCleanupOnce(record, 'extended_lifetime');
        }, safeTimeout);
@ -855,20 +1119,25 @@ export class PortProxy {
        }
        if (this.settings.enableDetailedLogging) {
-          console.log(`[${connectionId}] Keep-alive connection with extended lifetime of ${plugins.prettyMs(extendedTimeout)}`);
+          console.log(
            `[${connectionId}] Keep-alive connection with extended lifetime of ${plugins.prettyMs(
              extendedTimeout
            )}`
          );
        }
      }
      // For standard connections, use normal timeout
      else {
        // Use domain-specific timeout if available, otherwise use default
-        const connectionTimeout = record.domainConfig?.connectionTimeout || this.settings.maxConnectionLifetime!;
+        const connectionTimeout =
          record.domainConfig?.connectionTimeout || this.settings.maxConnectionLifetime!;
        const safeTimeout = ensureSafeTimeout(connectionTimeout);
        record.cleanupTimer = setTimeout(() => {
          console.log(
-            `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime (${plugins.prettyMs(
+            `[${connectionId}] Connection from ${
-              connectionTimeout
+              record.remoteIP
-            )}), forcing cleanup.`
+            } exceeded max lifetime (${plugins.prettyMs(connectionTimeout)}), forcing cleanup.`
          );
          this.initiateCleanupOnce(record, 'connection_timeout');
        }, safeTimeout);
@ -973,6 +1242,16 @@ export class PortProxy {
      const bytesReceived = record.bytesReceived;
      const bytesSent = record.bytesSent;
      // Remove the renegotiation handler if present
      if (record.renegotiationHandler && record.incoming) {
        try {
          record.incoming.removeListener('data', record.renegotiationHandler);
          record.renegotiationHandler = undefined;
        } catch (err) {
          console.log(`[${record.id}] Error removing renegotiation handler: ${err}`);
        }
      }
      try {
        if (!record.incoming.destroyed) {
          // Try graceful shutdown first, then force destroy after a short timeout
@ -1047,8 +1326,11 @@ export class PortProxy {
            ` Duration: ${plugins.prettyMs(
              duration
            )}, Bytes IN: ${bytesReceived}, OUT: ${bytesSent}, ` +
-            `TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${record.hasKeepAlive ? 'Yes' : 'No'}` +
+            `TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
-            `${record.usingNetworkProxy ? `, NetworkProxy: ${record.networkProxyIndex}` : ''}`
+              record.hasKeepAlive ? 'Yes' : 'No'
            }` +
            `${record.usingNetworkProxy ? ', Using NetworkProxy' : ''}` +
            `${record.domainSwitches ? `, Domain switches: ${record.domainSwitches}` : ''}`
        );
      } else {
        console.log(
@ -1091,7 +1373,10 @@ export class PortProxy {
      console.log(`[${record.id}] Connection cleanup initiated for ${record.remoteIP} (${reason})`);
    }
-    if (record.incomingTerminationReason === null || record.incomingTerminationReason === undefined) {
+    if (
      record.incomingTerminationReason === null ||
      record.incomingTerminationReason === undefined
    ) {
      record.incomingTerminationReason = reason;
      this.incrementTerminationStat('incoming', reason);
    }
@ -1184,6 +1469,29 @@ export class PortProxy {
      return;
    }
    // Initialize NetworkProxy if needed (useNetworkProxy is set but networkProxy isn't initialized)
    if (this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0 && !this.networkProxy) {
      await this.initializeNetworkProxy();
    }
    // Start NetworkProxy if configured
    if (this.networkProxy) {
      await this.networkProxy.start();
      console.log(`NetworkProxy started on port ${this.settings.networkProxyPort}`);
      // Log ACME status
      if (this.settings.acme?.enabled) {
        console.log(`ACME certificate management is enabled (${this.settings.acme.useProduction ? 'Production' : 'Staging'} mode)`);
        console.log(`ACME HTTP challenge server on port ${this.settings.acme.port}`);
        // Register domains for ACME certificates if enabled
        if (this.networkProxy.options.acme?.enabled) {
          console.log('Registering domains with ACME certificate manager...');
          // The NetworkProxy will handle this internally via registerDomainsWithAcmeManager()
        }
      }
    }
    // Define a unified connection handler for all listening ports.
    const connectionHandler = (socket: plugins.net.Socket) => {
      if (this.isShuttingDown) {
@ -1244,8 +1552,12 @@ export class PortProxy {
        incomingTerminationReason: null,
        outgoingTerminationReason: null,
-        // Initialize NetworkProxy tracking fields
+        // Initialize NetworkProxy tracking
-        usingNetworkProxy: false
+        usingNetworkProxy: false,
        // Initialize browser connection tracking
        isBrowserConnection: false,
        domainSwitches: 0, 
      };
      // Apply keep-alive settings if enabled
@ -1266,7 +1578,9 @@ export class PortProxy {
          } catch (err) {
            // Ignore errors - these are optional enhancements
            if (this.settings.enableDetailedLogging) {
-              console.log(`[${connectionId}] Enhanced TCP keep-alive settings not supported: ${err}`);
+              console.log(
                `[${connectionId}] Enhanced TCP keep-alive settings not supported: ${err}`
              );
            }
          }
        }
@ -1288,8 +1602,63 @@ export class PortProxy {
        );
      }
      // Check if this connection should be forwarded directly to NetworkProxy based on port
      const shouldUseNetworkProxy = this.settings.useNetworkProxy && 
                                    this.settings.useNetworkProxy.includes(localPort);
      if (shouldUseNetworkProxy) {
        // For NetworkProxy ports, we want to capture the TLS handshake and forward directly
        let initialDataReceived = false;
        // Set an initial timeout for handshake data
        let initialTimeout: NodeJS.Timeout | null = setTimeout(() => {
          if (!initialDataReceived) {
            console.log(
              `[${connectionId}] Initial data timeout (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP} on port ${localPort}`
            );
            if (connectionRecord.incomingTerminationReason === null) {
              connectionRecord.incomingTerminationReason = 'initial_timeout';
              this.incrementTerminationStat('incoming', 'initial_timeout');
            }
            socket.end();
            this.cleanupConnection(connectionRecord, 'initial_timeout');
          }
        }, this.settings.initialDataTimeout!);
        // Make sure timeout doesn't keep the process alive
        if (initialTimeout.unref) {
          initialTimeout.unref();
        }
        socket.on('error', this.handleError('incoming', connectionRecord));
        // First data handler to capture initial TLS handshake for NetworkProxy
        socket.once('data', (chunk: Buffer) => {
          // Clear the initial timeout since we've received data
          if (initialTimeout) {
            clearTimeout(initialTimeout);
            initialTimeout = null;
          }
          initialDataReceived = true;
          connectionRecord.hasReceivedInitialData = true;
          // Check if this looks like a TLS handshake
          if (isTlsHandshake(chunk)) {
            connectionRecord.isTLS = true;
            // Forward directly to NetworkProxy without SNI processing
            this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk);
          } else {
            // If not TLS, use normal direct connection
            console.log(`[${connectionId}] Non-TLS connection on NetworkProxy port ${localPort}`);
            this.setupDirectConnection(connectionId, socket, connectionRecord, undefined, undefined, chunk);
          }
        });
      } else {
        // For non-NetworkProxy ports, proceed with normal processing
        // Define helpers for rejecting connections
        const rejectIncomingConnection = (reason: string, logMessage: string) => {
          console.log(`[${connectionId}] ${logMessage}`);
@ -1301,6 +1670,8 @@ export class PortProxy {
          this.cleanupConnection(connectionRecord, reason);
        };
        let initialDataReceived = false;
        // Set an initial timeout for SNI data if needed
        let initialTimeout: NodeJS.Timeout | null = null;
        if (this.settings.sniEnabled) {
@ -1349,7 +1720,7 @@ export class PortProxy {
        });
        /**
-       * Sets up the connection to the target host or NetworkProxy.
+         * Sets up the connection to the target host.
         * @param serverName - The SNI hostname (unused when forcedDomain is provided).
         * @param initialChunk - Optional initial data chunk.
         * @param forcedDomain - If provided, overrides SNI/domain lookup (used for port-based routing).
@ -1418,23 +1789,6 @@ export class PortProxy {
                )}`
              );
            }
          // Check if we should forward this to a NetworkProxy
          if (
            isTlsHandshakeDetected && 
            domainConfig.useNetworkProxy === true && 
            initialChunk && 
            this.networkProxies.length > 0
          ) {
            return this.forwardToNetworkProxy(
              connectionId,
              socket,
              connectionRecord,
              domainConfig,
              initialChunk,
              serverName
            );
          }
          } else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
            if (
              !isGlobIPAllowed(
@ -1450,7 +1804,12 @@ export class PortProxy {
            }
          }
-        // If we didn't forward to NetworkProxy, proceed with direct connection
+          // Save the initial SNI
          if (serverName) {
            connectionRecord.lockedDomain = serverName;
          }
          // Set up the direct connection
          return this.setupDirectConnection(
            connectionId,
            socket,
@ -1595,6 +1954,7 @@ export class PortProxy {
          setupConnection('');
        }
      }
    };
    // --- SETUP LISTENERS ---
@ -1619,10 +1979,11 @@ export class PortProxy {
        console.log(`Server Error on port ${port}: ${err.message}`);
      });
      server.listen(port, () => {
        const isNetworkProxyPort = this.settings.useNetworkProxy?.includes(port);
        console.log(
          `PortProxy -> OK: Now listening on port ${port}${
-            this.settings.sniEnabled ? ' (SNI passthrough enabled)' : ''
+            this.settings.sniEnabled && !isNetworkProxyPort ? ' (SNI passthrough enabled)' : ''
-          }${this.networkProxies.length > 0 ? ' (NetworkProxy integration enabled)' : ''}`
+          }${isNetworkProxyPort ? ' (NetworkProxy forwarding enabled)' : ''}`
        );
      });
      this.netServers.push(server);
@ -1642,6 +2003,7 @@ export class PortProxy {
      let pendingTlsHandshakes = 0;
      let keepAliveConnections = 0;
      let networkProxyConnections = 0;
      let domainSwitchedConnections = 0;
      // Create a copy of the keys to avoid modification during iteration
      const connectionIds = [...this.connectionRecords.keys()];
@ -1670,11 +2032,14 @@ export class PortProxy {
          networkProxyConnections++;
        }
        if (record.domainSwitches && record.domainSwitches > 0) {
          domainSwitchedConnections++;
        }
        maxIncoming = Math.max(maxIncoming, now - record.incomingStartTime);
        if (record.outgoingStartTime) {
          maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
        }
        // Parity check: if outgoing socket closed and incoming remains active
        if (
          record.outgoingClosedTime &&
@ -1706,9 +2071,10 @@ export class PortProxy {
        }
        // Skip inactivity check if disabled or for immortal keep-alive connections
-        if (!this.settings.disableInactivityCheck && 
+        if (
-            !(record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal')) {
+          !this.settings.disableInactivityCheck &&
-          
+          !(record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal')
        ) {
          const inactivityTime = now - record.lastActivity;
          // Use extended timeout for extended-treatment keep-alive connections
@ -1722,7 +2088,9 @@ export class PortProxy {
            // For keep-alive connections, issue a warning first
            if (record.hasKeepAlive && !record.inactivityWarningIssued) {
              console.log(
-                `[${id}] Warning: Keep-alive connection from ${record.remoteIP} inactive for ${plugins.prettyMs(inactivityTime)}. ` +
+                `[${id}] Warning: Keep-alive connection from ${
                  record.remoteIP
                } inactive for ${plugins.prettyMs(inactivityTime)}. ` +
                  `Will close in 10 minutes if no activity.`
              );
@ -1754,7 +2122,9 @@ export class PortProxy {
          } else if (inactivityTime <= effectiveTimeout && record.inactivityWarningIssued) {
            // If activity detected after warning, clear the warning
            if (this.settings.enableDetailedLogging) {
-              console.log(`[${id}] Connection activity detected after inactivity warning, resetting warning`);
+              console.log(
                `[${id}] Connection activity detected after inactivity warning, resetting warning`
              );
            }
            record.inactivityWarningIssued = false;
          }
@ -1765,7 +2135,8 @@ export class PortProxy {
      console.log(
        `Active connections: ${this.connectionRecords.size}. ` +
          `Types: TLS=${tlsConnections} (Completed=${completedTlsHandshakes}, Pending=${pendingTlsHandshakes}), ` +
-          `Non-TLS=${nonTlsConnections}, KeepAlive=${keepAliveConnections}, NetworkProxy=${networkProxyConnections}. ` +
+          `Non-TLS=${nonTlsConnections}, KeepAlive=${keepAliveConnections}, NetworkProxy=${networkProxyConnections}, ` +
          `DomainSwitched=${domainSwitchedConnections}. ` +
          `Longest running: IN=${plugins.prettyMs(maxIncoming)}, OUT=${plugins.prettyMs(
            maxOutgoing
          )}. ` +
@ -1782,21 +2153,6 @@ export class PortProxy {
    }
  }
  /**
   * Add or replace NetworkProxy instances
   */
  public setNetworkProxies(networkProxies: NetworkProxy[]): void {
    this.networkProxies = networkProxies;
    console.log(`Updated NetworkProxy instances: ${this.networkProxies.length} proxies configured`);
  }
  /**
   * Get a list of configured NetworkProxy instances
   */
  public getNetworkProxies(): NetworkProxy[] {
    return this.networkProxies;
  }
  /**
   * Gracefully shut down the proxy
   */
@ -1888,6 +2244,22 @@ export class PortProxy {
      }
    }
    // Stop NetworkProxy if it was started (which also stops ACME manager)
    if (this.networkProxy) {
      try {
        console.log('Stopping NetworkProxy...');
        await this.networkProxy.stop();
        console.log('NetworkProxy stopped successfully');
        // Log ACME shutdown if it was enabled
        if (this.settings.acme?.enabled) {
          console.log('ACME certificate manager stopped');
        }
      } catch (err) {
        console.log(`Error stopping NetworkProxy: ${err}`);
      }
    }
    // Clear all tracking maps
    this.connectionRecords.clear();
    this.domainTargetIndices.clear();
--- a/ts/classes.router.ts
+++ b/ts/classes.router.ts
@ -19,6 +19,21 @@ export interface IRouterResult {
  pathRemainder?: string;
 }
 /**
 * Router for HTTP reverse proxy requests
 * 
 * Supports the following domain matching patterns:
 * - Exact matches: "example.com"
 * - Wildcard subdomains: "*.example.com" (matches any subdomain of example.com)
 * - TLD wildcards: "example.*" (matches example.com, example.org, etc.)
 * - Complex wildcards: "*.lossless*" (matches any subdomain of any lossless domain)
 * - Default fallback: "*" (matches any unmatched domain)
 * 
 * Also supports path pattern matching for each domain:
 * - Exact path: "/api/users"
 * - Wildcard paths: "/api/*" 
 * - Path parameters: "/users/:id/profile"
 */
 export class ProxyRouter {
  // Store original configs for reference
  private reverseProxyConfigs: tsclass.network.IReverseProxyConfig[] = [];
@ -98,9 +113,11 @@ export class ProxyRouter {
      return exactConfig;
    }
-    // Try wildcard subdomain
+    // Try various wildcard patterns
    if (hostWithoutPort.includes('.')) {
      const domainParts = hostWithoutPort.split('.');
      // Try wildcard subdomain (*.example.com)
      if (domainParts.length > 2) {
        const wildcardDomain = `*.${domainParts.slice(1).join('.')}`;
        const wildcardConfig = this.findConfigForHost(wildcardDomain, urlPath);
@ -108,6 +125,23 @@ export class ProxyRouter {
          return wildcardConfig;
        }
      }
      // Try TLD wildcard (example.*)
      const baseDomain = domainParts.slice(0, -1).join('.');
      const tldWildcardDomain = `${baseDomain}.*`;
      const tldWildcardConfig = this.findConfigForHost(tldWildcardDomain, urlPath);
      if (tldWildcardConfig) {
        return tldWildcardConfig;
      }
      // Try complex wildcard patterns
      const wildcardPatterns = this.findWildcardMatches(hostWithoutPort);
      for (const pattern of wildcardPatterns) {
        const wildcardConfig = this.findConfigForHost(pattern, urlPath);
        if (wildcardConfig) {
          return wildcardConfig;
        }
      }
    }
    // Fall back to default config if available
@ -120,6 +154,53 @@ export class ProxyRouter {
    return undefined;
  }
  /**
   * Find potential wildcard patterns that could match a given hostname
   * Handles complex patterns like "*.lossless*" or other partial matches
   * @param hostname The hostname to find wildcard matches for
   * @returns Array of potential wildcard patterns that could match
   */
  private findWildcardMatches(hostname: string): string[] {
    const patterns: string[] = [];
    const hostnameParts = hostname.split('.');
    // Find all configured hostnames that contain wildcards
    const wildcardConfigs = this.reverseProxyConfigs.filter(
      config => config.hostName.includes('*')
    );
    // Extract unique wildcard patterns
    const wildcardPatterns = [...new Set(
      wildcardConfigs.map(config => config.hostName.toLowerCase())
    )];
    // For each wildcard pattern, check if it could match the hostname
    // using simplified regex pattern matching
    for (const pattern of wildcardPatterns) {
      // Skip the default wildcard '*'
      if (pattern === '*') continue;
      // Skip already checked patterns (*.domain.com and domain.*)
      if (pattern.startsWith('*.') && pattern.indexOf('*', 2) === -1) continue;
      if (pattern.endsWith('.*') && pattern.indexOf('*') === pattern.length - 1) continue;
      // Convert wildcard pattern to regex
      const regexPattern = pattern
        .replace(/\./g, '\\.')  // Escape dots
        .replace(/\*/g, '.*');  // Convert * to .* for regex
      // Create regex object with case insensitive flag
      const regex = new RegExp(`^${regexPattern}$`, 'i');
      // If hostname matches this complex pattern, add it to the list
      if (regex.test(hostname)) {
        patterns.push(pattern);
      }
    }
    return patterns;
  }
  /**
   * Find a config for a specific host and path
   */
Author	SHA1	Message	Date
Philipp Kunz	d81cf94876	3.37.0 Some checks failed Default (tags) / security (push) Failing after 10m56s Details Default (tags) / test (push) Has been cancelled Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-03-11 12:56:04 +00:00
Philipp Kunz	8d06f1533e	feat(portproxy): Add ACME certificate management options to PortProxy, update ACME settings handling, and bump dependency versions	2025-03-11 12:56:03 +00:00
Philipp Kunz	223be61c8d	3.35.0	2025-03-11 12:45:55 +00:00
Philipp Kunz	6a693f4d86	feat(NetworkProxy): Integrate Port80Handler for automatic ACME certificate management - Add ACME certificate management capabilities to NetworkProxy - Implement automatic certificate issuance and renewal - Add SNI support for serving the correct certificates - Create certificate storage and caching system - Enable dynamic certificate issuance for new domains - Support automatic HTTP-to-HTTPS redirects for secured domains 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-03-11 12:45:22 +00:00
Philipp Kunz	27a2bcb556	feat(NetworkProxy): Add support for array-based destinations and integration with PortProxy - Update NetworkProxy to support new IReverseProxyConfig interface with destinationIps[] and destinationPorts[] - Add load balancing with round-robin selection of destination endpoints - Create automatic conversion of PortProxy domain configs to NetworkProxy configs - Implement backward compatibility to ensure tests continue to work 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-03-11 12:34:24 +00:00
Philipp Kunz	0674ca7163	3.34.0 Some checks failed Default (tags) / security (push) Failing after 12m28s Details Default (tags) / test (push) Has been cancelled Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-03-11 11:34:29 +00:00
Philipp Kunz	e31c84493f	feat(core): Improve wildcard domain matching and enhance NetworkProxy integration in PortProxy. Added support for TLD wildcards and complex wildcard patterns in the router, and refactored TLS renegotiation handling for stricter SNI enforcement.	2025-03-11 11:34:29 +00:00
Philipp Kunz	d2ad659d37	3.33.0 Some checks failed Default (tags) / security (push) Successful in 34s Details Default (tags) / test (push) Failing after 14m16s Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-03-11 09:57:06 +00:00
Philipp Kunz	df7a12041e	feat(portproxy): Add browser-friendly mode and SNI renegotiation configuration options to PortProxy	2025-03-11 09:57:06 +00:00
Philipp Kunz	2b69150545	3.32.2 Some checks failed Default (tags) / security (push) Successful in 35s Details Default (tags) / test (push) Failing after 1m2s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-11 09:12:40 +00:00
Philipp Kunz	85cc57ae10	fix(PortProxy): Simplify TLS handshake SNI extraction and update timeout settings in PortProxy for improved maintainability and reliability.	2025-03-11 09:12:40 +00:00
Philipp Kunz	e021b66898	3.32.1 Some checks failed Default (tags) / security (push) Successful in 30s Details Default (tags) / test (push) Failing after 1m3s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-11 04:39:17 +00:00
Philipp Kunz	865d21b36a	fix(portproxy): Relax TLS handshake and connection timeout settings for improved stability in chained proxy scenarios; update TLS session cache defaults and add keep-alive flags to connection records.	2025-03-11 04:39:17 +00:00
Philipp Kunz	58ba0d9362	3.32.0 Some checks failed Default (tags) / security (push) Successful in 34s Details Default (tags) / test (push) Failing after 1m2s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-11 04:24:29 +00:00
Philipp Kunz	ccccc5b8c8	feat(PortProxy): Enhance TLS session cache, SNI extraction, and chained proxy support in PortProxy. Improve handling of multiple and fragmented TLS records, and add new configuration options (isChainedProxy, chainPosition, aggressiveTlsRefresh, tlsSessionCache) for robust TLS certificate refresh.	2025-03-11 04:24:29 +00:00
Philipp Kunz	d8466a866c	3.31.2 Some checks failed Default (tags) / security (push) Successful in 28s Details Default (tags) / test (push) Failing after 1m3s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-11 03:56:09 +00:00
Philipp Kunz	119b643690	fix(PortProxy): Improve SNI renegotiation handling by adding flexible domain configuration matching on rehandshake and session resumption events.	2025-03-11 03:56:09 +00:00
Philipp Kunz	98f1e0df4c	3.31.1 Some checks failed Default (tags) / security (push) Successful in 37s Details Default (tags) / test (push) Failing after 1m3s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-11 03:48:10 +00:00
Philipp Kunz	d6022c8f8a	fix(PortProxy): Improve TLS handshake buffering and enhance debug logging for SNI forwarding in PortProxy	2025-03-11 03:48:10 +00:00
Philipp Kunz	0ea0f02428	fix(PortProxy): Improve connection reliability for initial and resumed TLS sessions Added enhanced connection handling to fix issues with both initial connections and TLS session resumption: 1. Improved debugging for connection setup with detailed logging 2. Added explicit timeout for backend connections to prevent hanging connections 3. Enhanced error recovery for connection failures with faster client notification 4. Added detailed session tracking to maintain domain context across TLS sessions 5. Fixed handling of TLS renegotiation with improved activity timestamp updates This should address the issue where initial connections may fail but subsequent retries succeed, as well as ensuring proper certificate selection for resumed TLS sessions. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-03-11 03:33:03 +00:00
Philipp Kunz	e452f55203	3.31.0 Some checks failed Default (tags) / security (push) Successful in 35s Details Default (tags) / test (push) Failing after 1m4s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-11 03:16:04 +00:00
Philipp Kunz	55f25f1976	feat(PortProxy): Improve TLS handshake SNI extraction and add session resumption tracking in PortProxy	2025-03-11 03:16:04 +00:00
Philipp Kunz	98b7f3ed7f	3.30.8 Some checks failed Default (tags) / security (push) Failing after 11m56s Details Default (tags) / test (push) Has been cancelled Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-03-11 02:50:01 +00:00
Philipp Kunz	cb83caeafd	fix(core): No changes in this commit.	2025-03-11 02:50:01 +00:00
Philipp Kunz	7850a80452	fix(PortProxy): Fix TypeScript errors by using correct variable names Fixed TypeScript errors caused by using 'connectionRecord' instead of 'record' in TLS renegotiation handlers. The variable name mistake occurred when moving and restructuring the TLS handshake detection code. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-03-11 02:47:57 +00:00
Philipp Kunz	ef8f583a90	fix(PortProxy): Move TLS renegotiation detection before socket piping Fundamentally restructured TLS renegotiation handling to ensure handshake packets are properly detected. The previous implementation attached event handlers after pipe() was established, which might have caused handshake packets to bypass detection. Key changes: 1. Moved renegotiation detection before pipe() to ensure all TLS handshake packets are detected 2. Added explicit lockedDomain setting for all SNI connections 3. Simplified the NetworkProxy TLS handshake detection 4. Removed redundant data handlers that could interfere with each other These changes should make renegotiation detection more reliable regardless of how Node.js internal pipe() implementation handles data events. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-03-11 02:45:51 +00:00
Philipp Kunz	2bdd6f8c1f	fix(PortProxy): Update activity timestamp during TLS renegotiation to prevent connection timeouts Ensures that TLS renegotiation packets properly update the connection's activity timestamp even when no SNI is present or when there are errors processing the renegotiation. This prevents connections from being closed due to inactivity during legitimate TLS renegotiation. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-03-11 02:40:08 +00:00
Philipp Kunz	99d28eafd1	3.30.7 Some checks failed Default (tags) / security (push) Successful in 29s Details Default (tags) / test (push) Failing after 1m1s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-11 02:25:59 +00:00
Philipp Kunz	788b444fcc	fix(PortProxy): Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.	2025-03-11 02:25:58 +00:00
Philipp Kunz	4225abe3c4	3.30.6 Some checks failed Default (tags) / security (push) Successful in 36s Details Default (tags) / test (push) Failing after 1m0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-11 02:18:56 +00:00
Philipp Kunz	74fdb58f84	fix(PortProxy): Improve TLS renegotiation handling in PortProxy by validating the new SNI against allowed domain configurations. If the new SNI is permitted based on existing IP rules, update the locked domain to allow connection reuse; otherwise, terminate the connection to prevent misrouting.	2025-03-11 02:18:56 +00:00
Philipp Kunz	bffdaffe39	3.30.5 Some checks failed Default (tags) / security (push) Successful in 20s Details Default (tags) / test (push) Failing after 1m1s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-10 22:36:28 +00:00
Philipp Kunz	67a4228518	fix(internal): No uncommitted changes detected; project files and tests remain unchanged.	2025-03-10 22:36:28 +00:00
Philipp Kunz	681209f2e1	3.30.4 Some checks failed Default (tags) / security (push) Successful in 36s Details Default (tags) / test (push) Failing after 1m1s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-10 22:35:34 +00:00
Philipp Kunz	c415a6c361	fix(PortProxy): Fix TLS renegotiation handling and adjust TLS keep-alive timeouts in PortProxy implementation	2025-03-10 22:35:34 +00:00
Philipp Kunz	009e3c4f0e	3.30.3 Some checks failed Default (tags) / security (push) Failing after 14m48s Details Default (tags) / test (push) Has been cancelled Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-03-10 22:07:12 +00:00
Philipp Kunz	f9c42975dc	fix(classes.portproxy.ts): Simplify timeout management in PortProxy and fix chained proxy certificate refresh issues	2025-03-10 22:07:12 +00:00
Philipp Kunz	feef949afe	3.30.2 Some checks failed Default (tags) / security (push) Successful in 34s Details Default (tags) / test (push) Failing after 1m10s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-10 14:15:03 +00:00
Philipp Kunz	8d3b07b1e6	fix(classes.portproxy.ts): Adjust TLS keep-alive timeout to refresh certificate context.	2025-03-10 14:15:03 +00:00
Philipp Kunz	51fe935f1f	3.30.1 Some checks failed Default (tags) / security (push) Successful in 36s Details Default (tags) / test (push) Failing after 1m9s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-10 14:13:57 +00:00
Philipp Kunz	146fac73cf	fix(PortProxy): Improve TLS keep-alive management and fix whitespace formatting	2025-03-10 14:13:56 +00:00
Philipp Kunz	4465cac807	3.30.0 Some checks failed Default (tags) / security (push) Failing after 16m2s Details Default (tags) / test (push) Has been cancelled Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-03-08 12:40:55 +00:00
Philipp Kunz	9d7ed21cba	feat(PortProxy): Add advanced TLS keep-alive handling and system sleep detection	2025-03-08 12:40:55 +00:00
Philipp Kunz	54fbe5beac	3.29.3 Some checks failed Default (tags) / security (push) Successful in 19s Details Default (tags) / test (push) Failing after 1m0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-07 15:50:25 +00:00
Philipp Kunz	0704853fa2	fix(core): Fix functional errors in the proxy setup and enhance pnpm configuration	2025-03-07 15:50:25 +00:00
Philipp Kunz	8cf22ee38b	3.29.2 Some checks failed Default (tags) / security (push) Successful in 39s Details Default (tags) / test (push) Failing after 48s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-07 15:46:34 +00:00
Philipp Kunz	f28e68e487	fix(PortProxy): Fix test for PortProxy handling of custom IPs in Docker/CI environments.	2025-03-07 15:46:34 +00:00