3.33.0

Added enhanced connection handling to fix issues with both initial connections and TLS session resumption:

1. Improved debugging for connection setup with detailed logging
2. Added explicit timeout for backend connections to prevent hanging connections
3. Enhanced error recovery for connection failures with faster client notification
4. Added detailed session tracking to maintain domain context across TLS sessions
5. Fixed handling of TLS renegotiation with improved activity timestamp updates

This should address the issue where initial connections may fail but subsequent retries succeed,
as well as ensuring proper certificate selection for resumed TLS sessions.

🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>

changelog.md

@@ -1,5 +1,68 @@
 # Changelog
 
+## 2025-03-11 - 3.33.0 - feat(portproxy)
+Add browser-friendly mode and SNI renegotiation configuration options to PortProxy
+
+- Introduce new properties: browserFriendlyMode (default true) to optimize handling for browser connections.
+- Add allowRenegotiationWithDifferentSNI (default false) to enable or disable SNI changes during renegotiation.
+- Include relatedDomainPatterns to define patterns for related domains that can share connections.
+- Update TypeScript interfaces and internal renegotiation logic to support these options.
+
+## 2025-03-11 - 3.32.2 - fix(PortProxy)
+Simplify TLS handshake SNI extraction and update timeout settings in PortProxy for improved maintainability and reliability.
+
+- Removed legacy and deprecated fields related to chained proxy configurations (isChainedProxy, chainPosition, aggressiveTlsRefresh).
+- Refactored the extractSNI functions to use a simpler, more robust approach for TLS ClientHello processing.
+- Adjusted default timeout and keep-alive settings to more standard values (e.g. initialDataTimeout set to 60s, socketTimeout to 1h).
+- Eliminated redundant TLS session cache and deep TLS refresh logic.
+- Improved logging and error handling during connection setup and renegotiation phases.
+
+## 2025-03-11 - 3.32.1 - fix(portproxy)
+Relax TLS handshake and connection timeout settings for improved stability in chained proxy scenarios; update TLS session cache defaults and add keep-alive flags to connection records.
+
+- Increased TLS session cache maximum entries from 10,000 to 20,000, expiry time from 24 hours to 7 days, and cleanup interval from 10 minutes to 30 minutes
+- Relaxed socket timeouts: standalone connections now use up to 6 hours, with chained proxies adjusted for 5–6 hours based on proxy position
+- Updated inactivity, connection, and initial handshake timeouts to provide a more relaxed behavior under high-traffic chained proxy scenarios
+- Increased keepAliveInitialDelay from 10 seconds to 30 seconds and introduced separate incoming and outgoing keep-alive flags
+- Enhanced TLS renegotiation handling with more detailed logging and temporary processing flags to avoid duplicate processing
+- Updated NetworkProxy integration to use optimized connection settings and more aggressive application-level keep-alive probes
+
+## 2025-03-11 - 3.32.0 - feat(PortProxy)
+Enhance TLS session cache, SNI extraction, and chained proxy support in PortProxy. Improve handling of multiple and fragmented TLS records, and add new configuration options (isChainedProxy, chainPosition, aggressiveTlsRefresh, tlsSessionCache) for robust TLS certificate refresh.
+
+- Implement TlsSessionCache with configurable cleanup, eviction, and statistics.
+- Improve extractSNIInfo to process multiple TLS records and partial handshake data.
+- Add new settings to detect chained proxy scenarios and adjust timeouts accordingly.
+- Enhance TLS state refresh with aggressive probing and deep refresh sequence.
+
+## 2025-03-11 - 3.31.2 - fix(PortProxy)
+Improve SNI renegotiation handling by adding flexible domain configuration matching on rehandshake and session resumption events.
+
+- When a rehandshake is detected with a changed SNI, first check existing domain config rules and log if allowed.
+- If the exact domain config is not found, additionally attempt flexible matching using parent domain and wildcard patterns.
+- For resumed sessions, try an exact match first and then use fallback logic to select a similar domain config based on matching target IP.
+- Enhanced logging added to help diagnose missing or mismatched domain configurations.
+
+## 2025-03-11 - 3.31.1 - fix(PortProxy)
+Improve TLS handshake buffering and enhance debug logging for SNI forwarding in PortProxy
+
+- Explicitly copy the initial TLS handshake data to prevent mutation before buffering
+- Log buffered TLS handshake data with SNI information for better diagnostics
+- Add detailed error logs on TLS connection failures, including server and domain config status
+- Output additional debug messages during ClientHello forwarding to verify proper TLS handshake processing
+
+## 2025-03-11 - 3.31.0 - feat(PortProxy)
+Improve TLS handshake SNI extraction and add session resumption tracking in PortProxy
+
+- Added ITlsSessionInfo interface and a global tlsSessionCache to track TLS session IDs for session resumption
+- Implemented a cleanup timer for the TLS session cache with startSessionCleanupTimer and stopSessionCleanupTimer
+- Enhanced extractSNIInfo to return detailed SNI information including session IDs, ticket details, and resumption status
+- Updated renegotiation handlers to use extractSNIInfo for proper SNI extraction during TLS rehandshake
+
+## 2025-03-11 - 3.30.8 - fix(core)
+No changes in this commit.
+
+
 ## 2025-03-11 - 3.30.7 - fix(PortProxy)
 Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.30.7",
+  "version": "3.33.0",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.30.7',
+  version: '3.33.0',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }

ts/classes.portproxy.ts

@@ -16,12 +16,7 @@ export interface IDomainConfig {
   networkProxyIndex?: number; // Optional index to specify which NetworkProxy to use (defaults to 0)
 }
 
-/** 
- * Port proxy settings including global allowed port ranges
- * 
- * NOTE: In version 3.31.0+, timeout settings have been simplified and hardcoded with sensible defaults
- * to ensure TLS certificate safety in all deployment scenarios, especially chained proxies.
- */
+/** Port proxy settings including global allowed port ranges */
 export interface IPortProxySettings extends plugins.tls.TlsOptions {
   fromPort: number;
   toPort: number;
@@ -32,10 +27,14 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   defaultBlockedIPs?: string[];
   preserveSourceIP?: boolean;
 
-  // Simplified timeout settings
+  // Timeout settings
+  initialDataTimeout?: number; // Timeout for initial data/SNI (ms), default: 60000 (60s)
+  socketTimeout?: number; // Socket inactivity timeout (ms), default: 3600000 (1h)
+  inactivityCheckInterval?: number; // How often to check for inactive connections (ms), default: 60000 (60s)
+  maxConnectionLifetime?: number; // Default max connection lifetime (ms), default: 86400000 (24h)
+  inactivityTimeout?: number; // Inactivity timeout (ms), default: 14400000 (4h)
+
   gracefulShutdownTimeout?: number; // (ms) maximum time to wait for connections to close during shutdown
-  
-  // Ranged port settings
   globalPortRanges: Array<{ from: number; to: number }>; // Global allowed port ranges
   forwardAllGlobalRanges?: boolean; // When true, forwards all connections on global port ranges to the global targetIP
 
@@ -45,7 +44,9 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   keepAliveInitialDelay?: number; // Initial delay before sending keepalive probes (ms)
   maxPendingDataSize?: number; // Maximum bytes to buffer during connection setup
 
-  // Logging settings
+  // Enhanced features
+  disableInactivityCheck?: boolean; // Disable inactivity checking entirely
+  enableKeepAliveProbes?: boolean; // Enable TCP keep-alive probes
   enableDetailedLogging?: boolean; // Enable detailed connection logging
   enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
   enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
@@ -54,8 +55,18 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
   connectionRateLimitPerMinute?: number; // Max new connections per minute from a single IP
 
-  // NetworkProxy integration
+  // Enhanced keep-alive settings
+  keepAliveTreatment?: 'standard' | 'extended' | 'immortal'; // How to treat keep-alive connections
+  keepAliveInactivityMultiplier?: number; // Multiplier for inactivity timeout for keep-alive connections
+  extendedKeepAliveLifetime?: number; // Extended lifetime for keep-alive connections (ms)
+
+  // New property for NetworkProxy integration
   networkProxies?: NetworkProxy[]; // Array of NetworkProxy instances to use for TLS termination
+
+  // Browser optimization settings
+  browserFriendlyMode?: boolean; // Optimizes handling for browser connections
+  allowRenegotiationWithDifferentSNI?: boolean; // Allows SNI changes during renegotiation
+  relatedDomainPatterns?: string[][]; // Patterns for domains that should be allowed to share connections
 }
 
 /**
@@ -95,9 +106,12 @@ interface IConnectionRecord {
   usingNetworkProxy?: boolean; // Whether this connection is using a NetworkProxy
   networkProxyIndex?: number; // Which NetworkProxy instance is being used
 
-  // Sleep detection fields
-  possibleSystemSleep?: boolean; // Flag to indicate a possible system sleep was detected
-  lastSleepDetection?: number; // Timestamp of the last sleep detection
+  // New field for renegotiation handler
+  renegotiationHandler?: (chunk: Buffer) => void; // Handler for renegotiation detection
+
+  // Browser connection tracking
+  isBrowserConnection?: boolean; // Whether this connection appears to be from a browser
+  domainSwitches?: number; // Number of times the domain has been switched on this connection
 }
 
 /**
@@ -264,6 +278,58 @@ function extractSNI(buffer: Buffer, enableLogging: boolean = false): string | un
   }
 }
 
+/**
+ * Checks if a TLS record is a proper ClientHello message (more accurate than just checking record type)
+ * @param buffer - Buffer containing the TLS record
+ * @returns true if the buffer contains a proper ClientHello message
+ */
+function isClientHello(buffer: Buffer): boolean {
+  try {
+    if (buffer.length < 9) return false; // Too small for a proper ClientHello
+
+    // Check record type (has to be handshake - 22)
+    if (buffer.readUInt8(0) !== 22) return false;
+
+    // After the TLS record header (5 bytes), check the handshake type (1 for ClientHello)
+    if (buffer.readUInt8(5) !== 1) return false;
+
+    // Basic checks passed, this appears to be a ClientHello
+    return true;
+  } catch (err) {
+    console.log(`Error checking for ClientHello: ${err}`);
+    return false;
+  }
+}
+
+/**
+ * Checks if two domains are related based on configured patterns
+ * @param domain1 - First domain name
+ * @param domain2 - Second domain name
+ * @param relatedPatterns - Array of domain pattern groups where domains in the same group are considered related
+ * @returns true if domains are related, false otherwise
+ */
+function areDomainsRelated(
+  domain1: string,
+  domain2: string,
+  relatedPatterns?: string[][]
+): boolean {
+  // Only exact same domains or empty domains are automatically related
+  if (!domain1 || !domain2 || domain1 === domain2) return true;
+
+  // Check against configured related domain patterns - the ONLY source of truth
+  if (relatedPatterns && relatedPatterns.length > 0) {
+    for (const patternGroup of relatedPatterns) {
+      const domain1Matches = patternGroup.some((pattern) => plugins.minimatch(domain1, pattern));
+      const domain2Matches = patternGroup.some((pattern) => plugins.minimatch(domain2, pattern));
+
+      if (domain1Matches && domain2Matches) return true;
+    }
+  }
+
+  // If no patterns match, domains are not related
+  return false;
+}
+
 // Helper: Check if a port falls within any of the given port ranges
 const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
   return ranges.some((range) => port >= range.from && port <= range.to);
@@ -326,22 +392,7 @@ const randomizeTimeout = (baseTimeout: number, variationPercent: number = 5): nu
 
 export class PortProxy {
   private netServers: plugins.net.Server[] = [];
-  
-  // Define the internal settings interface to include all fields, including those removed from the public interface
-  settings: IPortProxySettings & {
-    // Internal fields removed from public interface in 3.31.0+
-    initialDataTimeout: number;
-    socketTimeout: number;
-    inactivityCheckInterval: number;
-    maxConnectionLifetime: number;
-    inactivityTimeout: number;
-    disableInactivityCheck: boolean;
-    enableKeepAliveProbes: boolean;
-    keepAliveTreatment: 'standard' | 'extended' | 'immortal';
-    keepAliveInactivityMultiplier: number;
-    extendedKeepAliveLifetime: number;
-  };
-  
+  settings: IPortProxySettings;
   private connectionRecords: Map<string, IConnectionRecord> = new Map();
   private connectionLogger: NodeJS.Timeout | null = null;
   private isShuttingDown: boolean = false;
@@ -366,41 +417,47 @@ export class PortProxy {
   private networkProxies: NetworkProxy[] = [];
 
   constructor(settingsArg: IPortProxySettings) {
-    // Set hardcoded sensible defaults for all settings
+    // Set reasonable defaults for all settings
     this.settings = {
       ...settingsArg,
       targetIP: settingsArg.targetIP || 'localhost',
 
-      // Hardcoded timeout settings optimized for TLS safety in all deployment scenarios
-      initialDataTimeout: 60000, // 60 seconds for initial handshake
-      socketTimeout: 1800000, // 30 minutes - short enough for regular certificate refresh
-      inactivityCheckInterval: 60000, // 60 seconds interval for regular cleanup
-      maxConnectionLifetime: 3600000, // 1 hour maximum lifetime for all connections
-      inactivityTimeout: 1800000, // 30 minutes inactivity timeout
-      
+      // Timeout settings with reasonable defaults
+      initialDataTimeout: settingsArg.initialDataTimeout || 60000, // 60 seconds for initial handshake
+      socketTimeout: ensureSafeTimeout(settingsArg.socketTimeout || 3600000), // 1 hour socket timeout
+      inactivityCheckInterval: settingsArg.inactivityCheckInterval || 60000, // 60 seconds interval
+      maxConnectionLifetime: ensureSafeTimeout(settingsArg.maxConnectionLifetime || 86400000), // 24 hours default
+      inactivityTimeout: ensureSafeTimeout(settingsArg.inactivityTimeout || 14400000), // 4 hours inactivity timeout
+
       gracefulShutdownTimeout: settingsArg.gracefulShutdownTimeout || 30000, // 30 seconds
 
       // Socket optimization settings
       noDelay: settingsArg.noDelay !== undefined ? settingsArg.noDelay : true,
       keepAlive: settingsArg.keepAlive !== undefined ? settingsArg.keepAlive : true,
-      keepAliveInitialDelay: settingsArg.keepAliveInitialDelay || 10000, // 10 seconds
+      keepAliveInitialDelay: settingsArg.keepAliveInitialDelay || 10000, // 10 seconds (reduced for responsiveness)
       maxPendingDataSize: settingsArg.maxPendingDataSize || 10 * 1024 * 1024, // 10MB to handle large TLS handshakes
 
-      // Feature flags - simplified with sensible defaults
-      disableInactivityCheck: false, // Always enable inactivity checks for TLS safety
-      enableKeepAliveProbes: true, // Always enable keep-alive probes for connection health
+      // Feature flags
+      disableInactivityCheck: settingsArg.disableInactivityCheck || false,
+      enableKeepAliveProbes:
+        settingsArg.enableKeepAliveProbes !== undefined ? settingsArg.enableKeepAliveProbes : true, // Enable by default
       enableDetailedLogging: settingsArg.enableDetailedLogging || false,
       enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
-      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
+      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false, // Disable randomization by default
 
       // Rate limiting defaults
       maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100, // 100 connections per IP
       connectionRateLimitPerMinute: settingsArg.connectionRateLimitPerMinute || 300, // 300 per minute
 
-      // Keep-alive settings with sensible defaults that ensure certificate safety
-      keepAliveTreatment: 'standard', // Always use standard treatment for certificate safety
-      keepAliveInactivityMultiplier: 2, // 2x normal inactivity timeout for minimal extension
-      extendedKeepAliveLifetime: 3 * 60 * 60 * 1000, // 3 hours maximum (previously was 7 days!)
+      // Enhanced keep-alive settings
+      keepAliveTreatment: settingsArg.keepAliveTreatment || 'extended', // Extended by default
+      keepAliveInactivityMultiplier: settingsArg.keepAliveInactivityMultiplier || 6, // 6x normal inactivity timeout
+      extendedKeepAliveLifetime: settingsArg.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000, // 7 days
+
+      // Browser optimization settings (new)
+      browserFriendlyMode: settingsArg.browserFriendlyMode || true, // On by default
+      allowRenegotiationWithDifferentSNI: settingsArg.allowRenegotiationWithDifferentSNI || false, // Off by default
+      relatedDomainPatterns: settingsArg.relatedDomainPatterns || [], // Empty by default
     };
 
     // Store NetworkProxy instances if provided
@@ -503,26 +560,7 @@ export class PortProxy {
       });
 
       // Update activity on data transfer
-      socket.on('data', (chunk: Buffer) => {
-        this.updateActivity(record);
-
-        // Check for potential TLS renegotiation or reconnection packets
-        if (chunk.length > 0 && chunk[0] === 22) {
-          // ContentType.handshake
-          if (this.settings.enableDetailedLogging) {
-            console.log(
-              `[${connectionId}] Detected potential TLS handshake data while connected to NetworkProxy`
-            );
-          }
-
-          // NOTE: We don't need to explicitly forward the renegotiation packets
-          // because socket.pipe(proxySocket) is already handling that.
-          // The pipe ensures all data (including renegotiation) flows through properly.
-          // Just update the activity timestamp to prevent timeouts
-          record.lastActivity = Date.now();
-        }
-      });
-
+      socket.on('data', () => this.updateActivity(record));
       proxySocket.on('data', () => this.updateActivity(record));
 
       if (this.settings.enableDetailedLogging) {
@@ -848,112 +886,75 @@ export class PortProxy {
       record.pendingData = [];
       record.pendingDataSize = 0;
 
-      // Add the renegotiation listener for SNI validation
+      // Add the renegotiation handler for SNI validation, with browser-friendly improvements
       if (serverName) {
-        // This listener will check for TLS renegotiation attempts
-        // Note: We don't need to explicitly forward the renegotiation packets
-        // since socket.pipe(targetSocket) is already set up earlier and handles that
-        socket.on('data', (renegChunk: Buffer) => {
-          if (renegChunk.length > 0 && renegChunk.readUInt8(0) === 22) {
+        // Define a handler for checking renegotiation with improved detection
+        const renegotiationHandler = (renegChunk: Buffer) => {
+          // Only process if this looks like a TLS ClientHello (more precise than just checking for type 22)
+          if (isClientHello(renegChunk)) {
             try {
-              // Try to extract SNI from potential renegotiation
+              // Extract SNI from ClientHello
               const newSNI = extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
-              
-              // IMPORTANT: If we can't extract an SNI from renegotiation, we MUST allow it through
-              // Otherwise valid renegotiations that don't explicitly repeat the SNI will break
-              if (newSNI === undefined) {
-                if (this.settings.enableDetailedLogging) {
+
+              // Skip if no SNI was found
+              if (!newSNI) return;
+
+              // Handle SNI change during renegotiation
+              if (newSNI !== record.lockedDomain) {
+                // Track domain switches for browser connections
+                if (!record.domainSwitches) record.domainSwitches = 0;
+                record.domainSwitches++;
+
+                // Check if this is a normal behavior of browser connection reuse
+                const isRelatedDomain = areDomainsRelated(
+                  newSNI,
+                  record.lockedDomain || '',
+                  this.settings.relatedDomainPatterns
+                );
+
+                // Decide how to handle the SNI change based on settings
+                if (this.settings.browserFriendlyMode && isRelatedDomain) {
                   console.log(
-                    `[${connectionId}] Rehandshake detected without SNI, allowing it through.`
+                    `[${connectionId}] Browser domain switch detected: ${record.lockedDomain} -> ${newSNI}. ` +
+                      `Domains are related, allowing connection to continue (domain switch #${record.domainSwitches}).`
                   );
-                }
-                // Let it pass through - this is critical for Chrome's TLS handling
-                return;
-              }
-              
-              // Check if the SNI has changed
-              if (newSNI && newSNI !== record.lockedDomain) {
-                // Always check whether the new SNI would be allowed by the EXISTING domain config first
-                // This ensures we're using the same ruleset that allowed the initial connection
-                let allowed = false;
-                
-                // First check if the exact original domain config would allow this new SNI
-                if (record.domainConfig) {
-                  // Check if the new SNI matches any domain pattern in the original domain config
-                  allowed = record.domainConfig.domains.some(d => plugins.minimatch(newSNI, d));
-                  
-                  if (allowed && this.settings.enableDetailedLogging) {
-                    console.log(
-                      `[${connectionId}] Rehandshake with new SNI: ${newSNI} matched existing domain config ` +
-                      `patterns ${record.domainConfig.domains.join(', ')}. Allowing connection reuse.`
-                    );
-                  }
-                }
-                
-                // If not allowed by the existing domain config, try to find another domain config
-                if (!allowed) {
-                  const newDomainConfig = this.settings.domainConfigs.find((config) =>
-                    config.domains.some((d) => plugins.minimatch(newSNI, d))
-                  );
-                  
-                  // If we found a matching domain config, check IP rules
-                  if (newDomainConfig) {
-                    const effectiveAllowedIPs = [
-                      ...newDomainConfig.allowedIPs,
-                      ...(this.settings.defaultAllowedIPs || []),
-                    ];
-                    const effectiveBlockedIPs = [
-                      ...(newDomainConfig.blockedIPs || []),
-                      ...(this.settings.defaultBlockedIPs || []),
-                    ];
-                    
-                    // Check if the IP is allowed for the new domain
-                    allowed = isGlobIPAllowed(record.remoteIP, effectiveAllowedIPs, effectiveBlockedIPs);
-                    
-                    if (allowed && this.settings.enableDetailedLogging) {
-                      console.log(
-                        `[${connectionId}] Rehandshake with new SNI: ${newSNI} (previously ${record.lockedDomain}). ` +
-                        `New domain is allowed by different domain config rules, permitting connection reuse.`
-                      );
-                    }
-                    
-                    // Update the domain config reference to the new one
-                    if (allowed) {
-                      record.domainConfig = newDomainConfig;
-                    }
-                  }
-                }
-                
-                if (allowed) {
-                  // Update the locked domain to the new domain
+
+                  // Update the locked domain to the new one
                   record.lockedDomain = newSNI;
-                  if (this.settings.enableDetailedLogging) {
-                    console.log(
-                      `[${connectionId}] Updated locked domain for connection from ${record.remoteIP} to: ${newSNI}`
-                    );
-                  }
-                } else {
-                  // If we get here, either no matching domain config was found or the IP is not allowed
+                } else if (this.settings.allowRenegotiationWithDifferentSNI) {
                   console.log(
-                    `[${connectionId}] Rehandshake detected with different SNI: ${newSNI} vs locked ${record.lockedDomain}. ` +
-                    `New domain not allowed by any rules. Terminating connection.`
+                    `[${connectionId}] Renegotiation with different SNI: ${record.lockedDomain} -> ${newSNI}. ` +
+                      `Allowing due to allowRenegotiationWithDifferentSNI setting.`
+                  );
+
+                  // Update the locked domain to the new one
+                  record.lockedDomain = newSNI;
+                } else {
+                  // Standard strict behavior - terminate connection on SNI mismatch
+                  console.log(
+                    `[${connectionId}] Renegotiation with different SNI: ${record.lockedDomain} -> ${newSNI}. ` +
+                      `Terminating connection. Enable browserFriendlyMode to allow this.`
                   );
                   this.initiateCleanupOnce(record, 'sni_mismatch');
                 }
-              } else if (newSNI && this.settings.enableDetailedLogging) {
+              } else if (this.settings.enableDetailedLogging) {
                 console.log(
-                  `[${connectionId}] Rehandshake detected with same SNI: ${newSNI}. Allowing.`
+                  `[${connectionId}] Renegotiation detected with same SNI: ${newSNI}. Allowing.`
                 );
               }
             } catch (err) {
-              // Always allow the renegotiation to continue if we encounter an error
-              // This ensures Chrome can complete its TLS renegotiation
               console.log(
-                `[${connectionId}] Error processing potential renegotiation: ${err}. Allowing connection to continue.`
+                `[${connectionId}] Error processing ClientHello: ${err}. Allowing connection to continue.`
               );
             }
           }
-        });
+        };
+
+        // Store the handler in the connection record so we can remove it during cleanup
+        record.renegotiationHandler = renegotiationHandler;
+
+        // Add the listener
+        socket.on('data', renegotiationHandler);
       }
 
       // Set connection timeout with simpler logic
@@ -970,38 +971,6 @@ export class PortProxy {
         }
         // No cleanup timer for immortal connections
       }
-      // For TLS keep-alive connections, use a more generous timeout now that
-      // we've fixed the renegotiation handling issue that was causing certificate problems
-      else if (record.hasKeepAlive && record.isTLS) {
-        // Use a longer timeout for TLS connections now that renegotiation handling is fixed
-        // This reduces unnecessary reconnections while still ensuring certificate freshness
-        const tlsKeepAliveTimeout = 4 * 60 * 60 * 1000; // 4 hours for TLS keep-alive - increased from 30 minutes
-        const safeTimeout = ensureSafeTimeout(tlsKeepAliveTimeout);
-
-        record.cleanupTimer = setTimeout(() => {
-          console.log(
-            `[${connectionId}] TLS keep-alive connection from ${
-              record.remoteIP
-            } exceeded max lifetime (${plugins.prettyMs(
-              tlsKeepAliveTimeout
-            )}), forcing cleanup to refresh certificate context.`
-          );
-          this.initiateCleanupOnce(record, 'tls_certificate_refresh');
-        }, safeTimeout);
-
-        // Make sure timeout doesn't keep the process alive
-        if (record.cleanupTimer.unref) {
-          record.cleanupTimer.unref();
-        }
-
-        if (this.settings.enableDetailedLogging) {
-          console.log(
-            `[${connectionId}] TLS keep-alive connection with aggressive certificate refresh protection, lifetime: ${plugins.prettyMs(
-              tlsKeepAliveTimeout
-            )}`
-          );
-        }
-      }
       // For extended keep-alive connections, use extended timeout
       else if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'extended') {
         const extendedTimeout = this.settings.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000; // 7 days
@@ -1122,126 +1091,6 @@ export class PortProxy {
     this.terminationStats[side][reason] = (this.terminationStats[side][reason] || 0) + 1;
   }
 
-  /**
-   * Update connection activity timestamp with sleep detection
-   */
-  private updateActivity(record: IConnectionRecord): void {
-    // Get the current time
-    const now = Date.now();
-
-    // Check if there was a large time gap that suggests system sleep
-    if (record.lastActivity > 0) {
-      const timeDiff = now - record.lastActivity;
-
-      // If time difference is very large (> 30 minutes) and this is a keep-alive connection,
-      // this might indicate system sleep rather than just inactivity
-      if (timeDiff > 30 * 60 * 1000 && record.hasKeepAlive) {
-        if (this.settings.enableDetailedLogging) {
-          console.log(
-            `[${record.id}] Detected possible system sleep for ${plugins.prettyMs(timeDiff)}. ` +
-              `Handling keep-alive connection after long inactivity.`
-          );
-        }
-
-        // For TLS keep-alive connections after sleep/long inactivity, force close
-        // to make browser establish a new connection with fresh certificate context
-        if (record.isTLS && record.tlsHandshakeComplete) {
-          // More generous timeout now that we've fixed the renegotiation handling
-          if (timeDiff > 2 * 60 * 60 * 1000) {
-            // If inactive for more than 2 hours (increased from 20 minutes)
-            console.log(
-              `[${record.id}] TLS connection inactive for ${plugins.prettyMs(timeDiff)}. ` +
-                `Closing to force new connection with fresh certificate.`
-            );
-            return this.initiateCleanupOnce(record, 'certificate_refresh_needed');
-          } else if (timeDiff > 30 * 60 * 1000) {
-            // For shorter but still significant inactivity (30+ minutes), refresh TLS state
-            console.log(
-              `[${record.id}] TLS connection inactive for ${plugins.prettyMs(timeDiff)}. ` +
-                `Refreshing TLS state.`
-            );
-            this.refreshTlsStateAfterSleep(record);
-            
-            // Add an additional check in 15 minutes if no activity
-            const refreshCheckId = record.id;
-            const refreshCheck = setTimeout(() => {
-              const currentRecord = this.connectionRecords.get(refreshCheckId);
-              if (currentRecord && Date.now() - currentRecord.lastActivity > 15 * 60 * 1000) {
-                console.log(
-                  `[${refreshCheckId}] No activity detected after TLS refresh. ` +
-                    `Closing connection to ensure certificate freshness.`
-                );
-                this.initiateCleanupOnce(currentRecord, 'tls_refresh_verification_failed');
-              }
-            }, 15 * 60 * 1000);
-            
-            // Make sure timeout doesn't keep the process alive
-            if (refreshCheck.unref) {
-              refreshCheck.unref();
-            }
-          } else {
-            // For shorter inactivity periods, try to refresh the TLS state normally
-            this.refreshTlsStateAfterSleep(record);
-          }
-        }
-
-        // Mark that we detected sleep
-        record.possibleSystemSleep = true;
-        record.lastSleepDetection = now;
-      }
-    }
-
-    // Update the activity timestamp
-    record.lastActivity = now;
-
-    // Clear any inactivity warning
-    if (record.inactivityWarningIssued) {
-      record.inactivityWarningIssued = false;
-    }
-  }
-
-  /**
-   * Refresh TLS state after sleep detection
-   */
-  private refreshTlsStateAfterSleep(record: IConnectionRecord): void {
-    // Skip if we're using a NetworkProxy as it handles its own TLS state
-    if (record.usingNetworkProxy) {
-      return;
-    }
-
-    try {
-      // For outgoing connections that might need to be refreshed
-      if (record.outgoing && !record.outgoing.destroyed) {
-        // Check how long this connection has been established
-        const connectionAge = Date.now() - record.incomingStartTime;
-        const hourInMs = 60 * 60 * 1000;
-
-        // For TLS browser connections, use a more generous timeout now that 
-        // we've fixed the renegotiation handling issues
-        if (record.isTLS && record.hasKeepAlive && connectionAge > 8 * hourInMs) { // 8 hours instead of 45 minutes
-          console.log(
-            `[${record.id}] Long-lived TLS connection (${plugins.prettyMs(connectionAge)}). ` +
-              `Closing to ensure proper certificate handling on browser reconnect in proxy chain.`
-          );
-          return this.initiateCleanupOnce(record, 'certificate_context_refresh');
-        }
-
-        // For newer connections, try to send a refresh packet
-        record.outgoing.write(Buffer.alloc(0));
-
-        if (this.settings.enableDetailedLogging) {
-          console.log(`[${record.id}] Sent refresh packet after sleep detection`);
-        }
-      }
-    } catch (err) {
-      console.log(`[${record.id}] Error refreshing TLS state: ${err}`);
-
-      // If we hit an error, it's likely the connection is already broken
-      // Force cleanup to ensure browser reconnects cleanly
-      return this.initiateCleanupOnce(record, 'tls_refresh_error');
-    }
-  }
-
   /**
    * Cleans up a connection record.
    * Destroys both incoming and outgoing sockets, clears timers, and removes the record.
@@ -1265,6 +1114,16 @@ export class PortProxy {
       const bytesReceived = record.bytesReceived;
       const bytesSent = record.bytesSent;
 
+      // Remove the renegotiation handler if present
+      if (record.renegotiationHandler && record.incoming) {
+        try {
+          record.incoming.removeListener('data', record.renegotiationHandler);
+          record.renegotiationHandler = undefined;
+        } catch (err) {
+          console.log(`[${record.id}] Error removing renegotiation handler: ${err}`);
+        }
+      }
+
       try {
         if (!record.incoming.destroyed) {
           // Try graceful shutdown first, then force destroy after a short timeout
@@ -1342,7 +1201,8 @@ export class PortProxy {
             `TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
               record.hasKeepAlive ? 'Yes' : 'No'
             }` +
-            `${record.usingNetworkProxy ? `, NetworkProxy: ${record.networkProxyIndex}` : ''}`
+            `${record.usingNetworkProxy ? `, NetworkProxy: ${record.networkProxyIndex}` : ''}` +
+            `${record.domainSwitches ? `, Domain switches: ${record.domainSwitches}` : ''}`
         );
       } else {
         console.log(
@@ -1352,6 +1212,18 @@ export class PortProxy {
     }
   }
 
+  /**
+   * Update connection activity timestamp
+   */
+  private updateActivity(record: IConnectionRecord): void {
+    record.lastActivity = Date.now();
+
+    // Clear any inactivity warning
+    if (record.inactivityWarningIssued) {
+      record.inactivityWarningIssued = false;
+    }
+  }
+
   /**
    * Get target IP with round-robin support
    */
@@ -1532,8 +1404,9 @@ export class PortProxy {
         // Initialize NetworkProxy tracking fields
         usingNetworkProxy: false,
 
-        // Initialize sleep detection fields
-        possibleSystemSleep: false,
+        // Initialize browser connection tracking
+        isBrowserConnection: this.settings.browserFriendlyMode, // Assume browser if browserFriendlyMode is enabled
+        domainSwitches: 0, // Track domain switches
       };
 
       // Apply keep-alive settings if enabled
@@ -1570,6 +1443,7 @@ export class PortProxy {
         console.log(
           `[${connectionId}] New connection from ${remoteIP} on port ${localPort}. ` +
             `Keep-Alive: ${connectionRecord.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` +
+            `Mode: ${this.settings.browserFriendlyMode ? 'Browser-friendly' : 'Standard'}. ` +
             `Active connections: ${this.connectionRecords.size}`
         );
       } else {
@@ -1740,6 +1614,11 @@ export class PortProxy {
           }
         }
 
+        // Save the initial SNI for browser connection management
+        if (serverName) {
+          connectionRecord.lockedDomain = serverName;
+        }
+
         // If we didn't forward to NetworkProxy, proceed with direct connection
         return this.setupDirectConnection(
           connectionId,
@@ -1912,7 +1791,9 @@ export class PortProxy {
         console.log(
           `PortProxy -> OK: Now listening on port ${port}${
             this.settings.sniEnabled ? ' (SNI passthrough enabled)' : ''
-          }${this.networkProxies.length > 0 ? ' (NetworkProxy integration enabled)' : ''}`
+          }${this.networkProxies.length > 0 ? ' (NetworkProxy integration enabled)' : ''}${
+            this.settings.browserFriendlyMode ? ' (Browser-friendly mode enabled)' : ''
+          }`
         );
       });
       this.netServers.push(server);
@@ -1932,6 +1813,7 @@ export class PortProxy {
       let pendingTlsHandshakes = 0;
       let keepAliveConnections = 0;
       let networkProxyConnections = 0;
+      let domainSwitchedConnections = 0;
 
       // Create a copy of the keys to avoid modification during iteration
       const connectionIds = [...this.connectionRecords.keys()];
@@ -1960,11 +1842,14 @@ export class PortProxy {
           networkProxyConnections++;
         }
 
+        if (record.domainSwitches && record.domainSwitches > 0) {
+          domainSwitchedConnections++;
+        }
+
         maxIncoming = Math.max(maxIncoming, now - record.incomingStartTime);
         if (record.outgoingStartTime) {
           maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
         }
-
         // Parity check: if outgoing socket closed and incoming remains active
         if (
           record.outgoingClosedTime &&
@@ -2002,48 +1887,6 @@ export class PortProxy {
         ) {
           const inactivityTime = now - record.lastActivity;
 
-          // Special handling for TLS keep-alive connections
-          if (
-            record.hasKeepAlive &&
-            record.isTLS &&
-            inactivityTime > this.settings.inactivityTimeout! / 2
-          ) {
-            // For TLS keep-alive connections that are getting stale, try to refresh before closing
-            if (!record.inactivityWarningIssued) {
-              console.log(
-                `[${id}] TLS keep-alive connection from ${
-                  record.remoteIP
-                } inactive for ${plugins.prettyMs(inactivityTime)}. ` +
-                  `Attempting to preserve connection.`
-              );
-
-              // Set warning flag but give a much longer grace period for TLS connections
-              record.inactivityWarningIssued = true;
-
-              // For TLS connections, extend the last activity time considerably
-              // This gives browsers more time to re-establish the connection properly
-              record.lastActivity = now - this.settings.inactivityTimeout! / 3;
-
-              // Try to stimulate the connection with a probe packet
-              if (record.outgoing && !record.outgoing.destroyed) {
-                try {
-                  // For TLS connections, send a proper TLS heartbeat-like packet
-                  // This is just a small empty buffer that won't affect the TLS session
-                  record.outgoing.write(Buffer.alloc(0));
-
-                  if (this.settings.enableDetailedLogging) {
-                    console.log(`[${id}] Sent TLS keep-alive probe packet`);
-                  }
-                } catch (err) {
-                  console.log(`[${id}] Error sending TLS probe packet: ${err}`);
-                }
-              }
-
-              // Don't proceed to the normal inactivity check logic
-              continue;
-            }
-          }
-
           // Use extended timeout for extended-treatment keep-alive connections
           let effectiveTimeout = this.settings.inactivityTimeout!;
           if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'extended') {
@@ -2078,41 +1921,13 @@ export class PortProxy {
                 }
               }
             } else {
-              // MODIFIED: For TLS connections, be more lenient before closing
-              // For TLS browser connections, we need to handle certificate context properly
-              if (record.isTLS && record.hasKeepAlive) {
-                // For very long inactivity, it's better to close the connection
-                // so the browser establishes a new one with a fresh certificate context
-                if (inactivityTime > 6 * 60 * 60 * 1000) {
-                  // 6 hours
-                  console.log(
-                    `[${id}] TLS keep-alive connection from ${
-                      record.remoteIP
-                    } inactive for ${plugins.prettyMs(inactivityTime)}. ` +
-                      `Closing to ensure proper certificate handling on browser reconnect.`
-                  );
-                  this.cleanupConnection(record, 'tls_certificate_refresh');
-                } else {
-                  // For shorter inactivity periods, add grace period
-                  console.log(
-                    `[${id}] TLS keep-alive connection from ${
-                      record.remoteIP
-                    } inactive for ${plugins.prettyMs(inactivityTime)}. ` +
-                      `Adding extra grace period.`
-                  );
-
-                  // Give additional time for browsers to reconnect properly
-                  record.lastActivity = now - effectiveTimeout / 2;
-                }
-              } else {
-                // For non-keep-alive or after warning, close the connection
-                console.log(
-                  `[${id}] Inactivity check: No activity on connection from ${record.remoteIP} ` +
-                    `for ${plugins.prettyMs(inactivityTime)}.` +
-                    (record.hasKeepAlive ? ' Despite keep-alive being enabled.' : '')
-                );
-                this.cleanupConnection(record, 'inactivity');
-              }
+              // For non-keep-alive or after warning, close the connection
+              console.log(
+                `[${id}] Inactivity check: No activity on connection from ${record.remoteIP} ` +
+                  `for ${plugins.prettyMs(inactivityTime)}.` +
+                  (record.hasKeepAlive ? ' Despite keep-alive being enabled.' : '')
+              );
+              this.cleanupConnection(record, 'inactivity');
             }
           } else if (inactivityTime <= effectiveTimeout && record.inactivityWarningIssued) {
             // If activity detected after warning, clear the warning
@@ -2130,7 +1945,8 @@ export class PortProxy {
       console.log(
         `Active connections: ${this.connectionRecords.size}. ` +
           `Types: TLS=${tlsConnections} (Completed=${completedTlsHandshakes}, Pending=${pendingTlsHandshakes}), ` +
-          `Non-TLS=${nonTlsConnections}, KeepAlive=${keepAliveConnections}, NetworkProxy=${networkProxyConnections}. ` +
+          `Non-TLS=${nonTlsConnections}, KeepAlive=${keepAliveConnections}, NetworkProxy=${networkProxyConnections}, ` +
+          `DomainSwitched=${domainSwitchedConnections}. ` +
           `Longest running: IN=${plugins.prettyMs(maxIncoming)}, OUT=${plugins.prettyMs(
             maxOutgoing
           )}. ` +