3.41.8

changelog.md

@@ -1,5 +1,122 @@
 # Changelog
 
+## 2025-03-12 - 3.41.8 - fix(portproxy)
+Improve TLS handshake timeout handling and connection piping in PortProxy
+
+- Increase the default initial handshake timeout from 60 seconds to 120 seconds
+- Add a 30-second grace period before terminating connections waiting for initial TLS data
+- Refactor piping logic by removing redundant callback and establishing piping immediately after flushing buffered data
+- Enhance debug logging during TLS ClientHello processing for improved SNI extraction insights
+
+## 2025-03-12 - 3.41.7 - fix(core)
+Refactor PortProxy and SniHandler: improve configuration handling, logging, and whitespace consistency
+
+- Standardized indentation and spacing for configuration properties in PortProxy settings (e.g. ACME options, keepAliveProbes, allowSessionTicket)
+- Simplified conditional formatting and improved inline comments in PortProxy
+- Enhanced logging messages in SniHandler for TLS handshake and session resumption detection
+- Improved debugging output (e.g. hexdump of initial TLS packet) and consistency of multi-line expressions
+
+## 2025-03-12 - 3.41.6 - fix(SniHandler)
+Refactor SniHandler: update whitespace, comment formatting, and consistent type definitions
+
+- Unified inline comment style and spacing in SniHandler
+- Refactored session cache type declaration for clarity
+- Adjusted buffer length calculations to include TLS record header consistently
+- Minor improvements to logging messages during ClientHello reassembly and SNI extraction
+
+## 2025-03-12 - 3.41.5 - fix(portproxy)
+Enforce TLS handshake and SNI validation on port 443 by blocking non-TLS connections and terminating session resumption attempts without SNI when allowSessionTicket is disabled.
+
+- Added explicit check to block non-TLS connections on port 443 to ensure proper TLS usage.
+- Enhanced logging for TLS ClientHello to include details on SNI extraction and session resumption status.
+- Terminate connections with missing SNI by setting termination reasons ('session_ticket_blocked' or 'no_sni_blocked').
+- Ensured consistent rejection of non-TLS handshakes on standard HTTPS port.
+
+## 2025-03-12 - 3.41.4 - fix(tls/sni)
+Improve logging for TLS session resumption by extracting and logging SNI values from ClientHello messages.
+
+- Added logging to output the extracted SNI value during renegotiation, initial ClientHello and in the SNI handler.
+- Enhanced error handling during SNI extraction to aid troubleshooting of TLS session resumption issues.
+
+## 2025-03-12 - 3.41.3 - fix(TLS/SNI)
+Improve TLS session resumption handling and logging. Now, session resumption attempts are always logged with details, and connections without a proper SNI are rejected when allowSessionTicket is disabled. In addition, empty SNI extensions are explicitly treated as missing, ensuring stricter and more consistent TLS handshake validation.
+
+- Always log session resumption in both renegotiation and initial ClientHello processing.
+- Terminate connections that attempt session resumption without SNI when allowSessionTicket is false.
+- Treat empty SNI extensions as absence of SNI to improve consistency in TLS handshake processing.
+
+## 2025-03-11 - 3.41.2 - fix(SniHandler)
+Refactor hasSessionResumption to return detailed session resumption info
+
+- Changed the return type of hasSessionResumption from boolean to an object with properties isResumption and hasSNI
+- Updated early return conditions to return { isResumption: false, hasSNI: false } when buffer is too short or invalid
+- Modified corresponding documentation to reflect the new return type
+
+## 2025-03-11 - 3.41.1 - fix(SniHandler)
+Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
+
+- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
+- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
+- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
+
+## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
+Add allowSessionTicket option to control TLS session ticket handling
+
+- Introduce 'allowSessionTicket' flag (default true) in PortProxy settings to enable or disable TLS session resumption via session tickets.
+- Update SniHandler with a new hasSessionResumption method to detect session ticket and PSK extensions in ClientHello messages.
+- Force connection cleanup during renegotiation and initial handshake when allowSessionTicket is set to false and a session ticket is detected.
+
+## 2025-03-11 - 3.40.0 - feat(SniHandler)
+Add session cache support and tab reactivation detection to improve SNI extraction in TLS handshakes
+
+- Introduce a session cache mechanism to store and retrieve cached SNI values based on client IP (and optionally client random) to better handle tab reactivation scenarios.
+- Implement functions to initialize, update, and clean up the session cache for TLS ClientHello messages.
+- Enhance SNI extraction logic to check for tab reactivation handshakes and to return cached SNI for resumed connections or 0-RTT scenarios.
+- Update PSK extension handling to safely skip over obfuscated ticket age bytes.
+
+## 2025-03-11 - 3.39.0 - feat(PortProxy)
+Add domain-specific NetworkProxy integration support to PortProxy
+
+- Introduced new properties 'useNetworkProxy' and 'networkProxyPort' in domain configurations.
+- Updated forwardToNetworkProxy to accept an optional custom proxy port parameter.
+- Enhanced TLS handshake processing to extract SNI and, if a matching domain config specifies NetworkProxy usage, forward the connection using the domain-specific port.
+- Refined connection routing logic to check for domain-specific NetworkProxy settings before falling back to default behavior.
+
+## 2025-03-11 - 3.38.2 - fix(core)
+No code changes detected; bumping patch version for consistency.
+
+
+## 2025-03-11 - 3.38.1 - fix(PortProxy)
+Improve SNI extraction handling in PortProxy by passing explicit connection info to extractSNIWithResumptionSupport for better TLS renegotiation and debug logging.
+
+- In the renegotiation handler, create and pass a connection info object (sourceIp, sourcePort, destIp, destPort) instead of a boolean flag.
+- Update the TLS handshake processing to construct a connection info object for detailed SNI extraction and logging.
+- Enhance consistency by using processTlsPacket with cached SNI hints during fallback.
+
+## 2025-03-11 - 3.38.0 - feat(SniHandler)
+Enhance SNI extraction to support fragmented ClientHello messages, TLS 1.3 early data, and improved PSK parsing
+
+- Added isTlsApplicationData method for detecting TLS application data packets
+- Implemented handleFragmentedClientHello to buffer and reassemble fragmented ClientHello messages
+- Extended extractSNIWithResumptionSupport to accept connection information and use reassembled data
+- Added detection for TLS 1.3 early data (0-RTT) in the ClientHello, supporting session resumption scenarios
+- Improved logging and heuristics for handling potential connection racing in modern browsers
+
+## 2025-03-11 - 3.37.3 - fix(snihandler)
+Enhance SNI extraction to support TLS 1.3 PSK-based session resumption by adding a dedicated extractSNIFromPSKExtension method and improved logging for session resumption indicators.
+
+- Defined TLS_PSK_EXTENSION_TYPE and TLS_PSK_KE_MODES_EXTENSION_TYPE constants.
+- Added extractSNIFromPSKExtension method to handle ClientHello messages containing PSK identities.
+- Improved logging to indicate when session resumption indicators (ticket or PSK) are present but no standard SNI is found.
+- Enhanced extractSNIWithResumptionSupport to attempt PSK extraction if standard SNI extraction fails.
+
+## 2025-03-11 - 3.37.2 - fix(PortProxy)
+Improve buffering and data handling during connection setup in PortProxy to prevent data loss
+
+- Added a safeDataHandler and processDataQueue to buffer incoming data reliably during the TLS handshake phase
+- Introduced a queue with pause/resume logic to avoid exceeding maxPendingDataSize and ensure all pending data is flushed before piping begins
+- Refactored the piping setup to install the renegotiation handler only after proper data flushing
+
 ## 2025-03-11 - 3.37.1 - fix(PortProxy/SNI)
 Refactor SNI extraction in PortProxy to use the dedicated SniHandler class
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.37.1",
+  "version": "3.41.8",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.37.1',
+  version: '3.41.8',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

ts/classes.portproxy.ts

@@ -11,6 +11,10 @@ export interface IDomainConfig {
   portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
   // Allow domain-specific timeout override
   connectionTimeout?: number; // Connection timeout override (ms)
+
+  // NetworkProxy integration options for this specific domain
+  useNetworkProxy?: boolean; // Whether to use NetworkProxy for this domain
+  networkProxyPort?: number; // Override default NetworkProxy port for this domain
 }
 
 /** Port proxy settings including global allowed port ranges */
@@ -47,6 +51,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   enableDetailedLogging?: boolean; // Enable detailed connection logging
   enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
   enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
+  allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
 
   // Rate limiting and security
   maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
@@ -211,7 +216,7 @@ export class PortProxy {
       targetIP: settingsArg.targetIP || 'localhost',
 
       // Timeout settings with reasonable defaults
-      initialDataTimeout: settingsArg.initialDataTimeout || 60000, // 60 seconds for initial handshake
+      initialDataTimeout: settingsArg.initialDataTimeout || 120000, // 120 seconds for initial handshake
       socketTimeout: ensureSafeTimeout(settingsArg.socketTimeout || 3600000), // 1 hour socket timeout
       inactivityCheckInterval: settingsArg.inactivityCheckInterval || 60000, // 60 seconds interval
       maxConnectionLifetime: ensureSafeTimeout(settingsArg.maxConnectionLifetime || 86400000), // 24 hours default
@@ -227,11 +232,13 @@ export class PortProxy {
 
       // Feature flags
       disableInactivityCheck: settingsArg.disableInactivityCheck || false,
-      enableKeepAliveProbes: settingsArg.enableKeepAliveProbes !== undefined 
-                            ? settingsArg.enableKeepAliveProbes : true,
+      enableKeepAliveProbes:
+        settingsArg.enableKeepAliveProbes !== undefined ? settingsArg.enableKeepAliveProbes : true,
       enableDetailedLogging: settingsArg.enableDetailedLogging || false,
       enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
       enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
+      allowSessionTicket:
+        settingsArg.allowSessionTicket !== undefined ? settingsArg.allowSessionTicket : true,
 
       // Rate limiting defaults
       maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
@@ -254,8 +261,8 @@ export class PortProxy {
         renewThresholdDays: 30,
         autoRenew: true,
         certificateStore: './certs',
-        skipConfiguredCerts: false
-      }
+        skipConfiguredCerts: false,
+      },
     };
 
     // Initialize NetworkProxy if enabled
@@ -273,7 +280,7 @@ export class PortProxy {
       const networkProxyOptions: any = {
         port: this.settings.networkProxyPort!,
         portProxyIntegration: true,
-        logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info'
+        logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info',
       };
 
       // Add ACME settings if configured
@@ -314,7 +321,7 @@ export class PortProxy {
     // Update settings
     this.settings.acme = {
       ...this.settings.acme,
-      ...acmeSettings
+      ...acmeSettings,
     };
 
     // If NetworkProxy is initialized, update its ACME settings
@@ -372,17 +379,19 @@ export class PortProxy {
       try {
         certPair = {
           key: fs.readFileSync('assets/certs/key.pem', 'utf8'),
-          cert: fs.readFileSync('assets/certs/cert.pem', 'utf8')
+          cert: fs.readFileSync('assets/certs/cert.pem', 'utf8'),
         };
       } catch (certError) {
         console.log(`Warning: Could not read default certificates: ${certError}`);
-        console.log('Using empty certificate placeholders - ACME will generate proper certificates if enabled');
+        console.log(
+          'Using empty certificate placeholders - ACME will generate proper certificates if enabled'
+        );
 
         // Use empty placeholders - NetworkProxy will use its internal defaults
         // or ACME will generate proper ones if enabled
         certPair = {
           key: '',
-          cert: ''
+          cert: '',
         };
       }
 
@@ -395,8 +404,8 @@ export class PortProxy {
       // Log ACME-eligible domains if ACME is enabled
       if (this.settings.acme?.enabled) {
         const acmeEligibleDomains = proxyConfigs
-          .filter(config => !config.hostName.includes('*')) // Exclude wildcards
-          .map(config => config.hostName);
+          .filter((config) => !config.hostName.includes('*')) // Exclude wildcards
+          .map((config) => config.hostName);
 
         if (acmeEligibleDomains.length > 0) {
           console.log(`Domains eligible for ACME certificates: ${acmeEligibleDomains.join(', ')}`);
@@ -406,9 +415,14 @@ export class PortProxy {
       }
 
       // Update NetworkProxy with the converted configs
-      this.networkProxy.updateProxyConfigs(proxyConfigs).then(() => {
-        console.log(`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`);
-      }).catch(err => {
+      this.networkProxy
+        .updateProxyConfigs(proxyConfigs)
+        .then(() => {
+          console.log(
+            `Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`
+          );
+        })
+        .catch((err) => {
           console.log(`Error synchronizing configurations: ${err.message}`);
         });
     } catch (err) {
@@ -452,12 +466,14 @@ export class PortProxy {
    * @param socket - The incoming client socket
    * @param record - The connection record
    * @param initialData - Initial data chunk (TLS ClientHello)
+   * @param customProxyPort - Optional custom port for NetworkProxy (for domain-specific settings)
    */
   private forwardToNetworkProxy(
     connectionId: string,
     socket: plugins.net.Socket,
     record: IConnectionRecord,
-    initialData: Buffer
+    initialData: Buffer,
+    customProxyPort?: number
   ): void {
     // Ensure NetworkProxy is initialized
     if (!this.networkProxy) {
@@ -475,7 +491,8 @@ export class PortProxy {
       );
     }
 
-    const proxyPort = this.networkProxy.getListeningPort();
+    // Use the custom port if provided, otherwise use the default NetworkProxy port
+    const proxyPort = customProxyPort || this.networkProxy.getListeningPort();
     const proxyHost = 'localhost'; // Assuming NetworkProxy runs locally
 
     if (this.settings.enableDetailedLogging) {
@@ -536,9 +553,7 @@ export class PortProxy {
       proxySocket.on('data', () => this.updateActivity(record));
 
       if (this.settings.enableDetailedLogging) {
-        console.log(
-          `[${connectionId}] TLS connection successfully forwarded to NetworkProxy`
-        );
+        console.log(`[${connectionId}] TLS connection successfully forwarded to NetworkProxy`);
       }
     });
   }
@@ -566,11 +581,40 @@ export class PortProxy {
       connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
     }
 
+    // Create a safe queue for incoming data using a Buffer array
+    // We'll use this to ensure we don't lose data during handler transitions
+    const dataQueue: Buffer[] = [];
+    let queueSize = 0;
+    let processingQueue = false;
+    let drainPending = false;
+
+    // Flag to track if we've switched to the final piping mechanism
+    // Once this is true, we no longer buffer data in dataQueue
+    let pipingEstablished = false;
+
     // Pause the incoming socket to prevent buffer overflows
+    // This ensures we control the flow of data until piping is set up
     socket.pause();
 
-    // Temporary handler to collect data during connection setup
-    const tempDataHandler = (chunk: Buffer) => {
+    // Function to safely process the data queue without losing events
+    const processDataQueue = () => {
+      if (processingQueue || dataQueue.length === 0 || pipingEstablished) return;
+
+      processingQueue = true;
+
+      try {
+        // Process all queued chunks with the current active handler
+        while (dataQueue.length > 0) {
+          const chunk = dataQueue.shift()!;
+          queueSize -= chunk.length;
+
+          // Once piping is established, we shouldn't get here,
+          // but just in case, pass to the outgoing socket directly
+          if (pipingEstablished && record.outgoing) {
+            record.outgoing.write(chunk);
+            continue;
+          }
+
           // Track bytes received
           record.bytesReceived += chunk.length;
 
@@ -593,17 +637,48 @@ export class PortProxy {
               `[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
             );
             socket.end(); // Gracefully close the socket
-        return this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
+            this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
+            return;
           }
 
           // Buffer the chunk and update the size counter
           record.pendingData.push(Buffer.from(chunk));
           record.pendingDataSize = newSize;
           this.updateActivity(record);
+        }
+      } finally {
+        processingQueue = false;
+
+        // If there's a pending drain and we've processed everything,
+        // signal we're ready for more data if we haven't established piping yet
+        if (drainPending && dataQueue.length === 0 && !pipingEstablished) {
+          drainPending = false;
+          socket.resume();
+        }
+      }
     };
 
-    // Add the temp handler to capture all incoming data during connection setup
-    socket.on('data', tempDataHandler);
+    // Unified data handler that safely queues incoming data
+    const safeDataHandler = (chunk: Buffer) => {
+      // If piping is already established, just let the pipe handle it
+      if (pipingEstablished) return;
+
+      // Add to our queue for orderly processing
+      dataQueue.push(Buffer.from(chunk)); // Make a copy to be safe
+      queueSize += chunk.length;
+
+      // If queue is getting large, pause socket until we catch up
+      if (this.settings.maxPendingDataSize && queueSize > this.settings.maxPendingDataSize * 0.8) {
+        socket.pause();
+        drainPending = true;
+      }
+
+      // Process the queue
+      processDataQueue();
+    };
+
+    // Add our safe data handler
+    socket.on('data', safeDataHandler);
 
     // Add initial chunk to pending data if present
     if (initialChunk) {
@@ -776,89 +851,81 @@ export class PortProxy {
       // Add the normal error handler for established connections
       targetSocket.on('error', this.handleError('outgoing', record));
 
-      // Remove temporary data handler
-      socket.removeListener('data', tempDataHandler);
+      // Process any remaining data in the queue before switching to piping
+      processDataQueue();
+      
+      // Set up piping immediately - don't delay this crucial step
+      pipingEstablished = true;
       
       // Flush all pending data to target
       if (record.pendingData.length > 0) {
         const combinedData = Buffer.concat(record.pendingData);
+        
+        if (this.settings.enableDetailedLogging) {
+          console.log(`[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`);
+        }
+        
+        // Write pending data immediately
         targetSocket.write(combinedData, (err) => {
           if (err) {
             console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
             return this.initiateCleanupOnce(record, 'write_error');
           }
-
-          // Now set up piping for future data and resume the socket
-          socket.pipe(targetSocket);
-          targetSocket.pipe(socket);
-          socket.resume(); // Resume the socket after piping is established
-
-          if (this.settings.enableDetailedLogging) {
-            console.log(
-              `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-                `${
-                  serverName
-                    ? ` (SNI: ${serverName})`
-                    : domainConfig
-                    ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
-                    : ''
-                }` +
-                ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
-                  record.hasKeepAlive ? 'Yes' : 'No'
-                }`
-            );
-          } else {
-            console.log(
-              `Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-                `${
-                  serverName
-                    ? ` (SNI: ${serverName})`
-                    : domainConfig
-                    ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
-                    : ''
-                }`
-            );
-          }
         });
-      } else {
-        // No pending data, so just set up piping
-        socket.pipe(targetSocket);
-        targetSocket.pipe(socket);
-        socket.resume(); // Resume the socket after piping is established
-
-        if (this.settings.enableDetailedLogging) {
-          console.log(
-            `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-              `${
-                serverName
-                  ? ` (SNI: ${serverName})`
-                  : domainConfig
-                  ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
-                  : ''
-              }` +
-              ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
-                record.hasKeepAlive ? 'Yes' : 'No'
-              }`
-          );
-        } else {
-          console.log(
-            `Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-              `${
-                serverName
-                  ? ` (SNI: ${serverName})`
-                  : domainConfig
-                  ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
-                  : ''
-              }`
-          );
-        }
-      }
         
         // Clear the buffer now that we've processed it
         record.pendingData = [];
         record.pendingDataSize = 0;
+      }
+      
+      // Setup piping in both directions without any delays
+      socket.pipe(targetSocket);
+      targetSocket.pipe(socket);
+      
+      // Resume the socket to ensure data flows - CRITICAL!
+      socket.resume();
+      
+      // Process any data that might be queued in the interim
+      if (dataQueue.length > 0) {
+        // Write any remaining queued data directly to the target socket
+        for (const chunk of dataQueue) {
+          targetSocket.write(chunk);
+        }
+        // Clear the queue
+        dataQueue.length = 0;
+        queueSize = 0;
+      }
+      
+      if (this.settings.enableDetailedLogging) {
+        console.log(
+          `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
+            `${
+              serverName
+                ? ` (SNI: ${serverName})`
+                : domainConfig
+                ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
+                : ''
+            }` +
+            ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
+              record.hasKeepAlive ? 'Yes' : 'No'
+            }`
+        );
+      } else {
+        console.log(
+          `Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
+            `${
+              serverName
+                ? ` (SNI: ${serverName})`
+                : domainConfig
+                ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
+                : ''
+            }`
+        );
+      }
+
 
       // Add the renegotiation handler for SNI validation with strict domain enforcement
+      // This will be called after we've established piping
       if (serverName) {
         // Define a handler for checking renegotiation with improved detection
         const renegotiationHandler = (renegChunk: Buffer) => {
@@ -866,7 +933,60 @@ export class PortProxy {
           if (SniHandler.isClientHello(renegChunk)) {
             try {
               // Extract SNI from ClientHello
-              const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, this.settings.enableTlsDebugLogging);
+              // Create a connection info object for the existing connection
+              const connInfo = {
+                sourceIp: record.remoteIP,
+                sourcePort: record.incoming.remotePort || 0,
+                destIp: record.incoming.localAddress || '',
+                destPort: record.incoming.localPort || 0,
+              };
+
+              // Check for session tickets if allowSessionTicket is disabled
+              if (this.settings.allowSessionTicket === false) {
+                // Analyze for session resumption attempt (session ticket or PSK)
+                const resumptionInfo = SniHandler.hasSessionResumption(
+                  renegChunk,
+                  this.settings.enableTlsDebugLogging
+                );
+
+                if (resumptionInfo.isResumption) {
+                  // Always log resumption attempt for easier debugging
+                  // Try to extract SNI for logging
+                  const extractedSNI = SniHandler.extractSNI(
+                    renegChunk,
+                    this.settings.enableTlsDebugLogging
+                  );
+                  console.log(
+                    `[${connectionId}] Session resumption detected in renegotiation. ` +
+                      `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
+                      `SNI value: ${extractedSNI || 'None'}, ` +
+                      `allowSessionTicket: ${this.settings.allowSessionTicket}`
+                  );
+
+                  // Block if there's session resumption without SNI
+                  if (!resumptionInfo.hasSNI) {
+                    console.log(
+                      `[${connectionId}] Session resumption detected in renegotiation without SNI and allowSessionTicket=false. ` +
+                        `Terminating connection to force new TLS handshake.`
+                    );
+                    this.initiateCleanupOnce(record, 'session_ticket_blocked');
+                    return;
+                  } else {
+                    if (this.settings.enableDetailedLogging) {
+                      console.log(
+                        `[${connectionId}] Session resumption with SNI detected in renegotiation. ` +
+                          `Allowing connection since SNI is present.`
+                      );
+                    }
+                  }
+                }
+              }
+
+              const newSNI = SniHandler.extractSNIWithResumptionSupport(
+                renegChunk,
+                connInfo,
+                this.settings.enableTlsDebugLogging
+              );
 
               // Skip if no SNI was found
               if (!newSNI) return;
@@ -895,8 +1015,20 @@ export class PortProxy {
         // Store the handler in the connection record so we can remove it during cleanup
         record.renegotiationHandler = renegotiationHandler;
 
-        // Add the listener
+        // The renegotiation handler is added when piping is established
+        // Making it part of setupPiping ensures proper sequencing of event handlers
         socket.on('data', renegotiationHandler);
+
+        if (this.settings.enableDetailedLogging) {
+          console.log(
+            `[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`
+          );
+          if (this.settings.allowSessionTicket === false) {
+            console.log(
+              `[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`
+            );
+          }
+        }
       }
 
       // Set connection timeout with simpler logic
@@ -1056,13 +1188,16 @@ export class PortProxy {
       const bytesReceived = record.bytesReceived;
       const bytesSent = record.bytesSent;
 
-      // Remove the renegotiation handler if present
-      if (record.renegotiationHandler && record.incoming) {
+      // Remove all data handlers (both standard and renegotiation) to make sure we clean up properly
+      if (record.incoming) {
         try {
-          record.incoming.removeListener('data', record.renegotiationHandler);
+          // Remove our safe data handler
+          record.incoming.removeAllListeners('data');
+
+          // Reset the handler references
           record.renegotiationHandler = undefined;
         } catch (err) {
-          console.log(`[${record.id}] Error removing renegotiation handler: ${err}`);
+          console.log(`[${record.id}] Error removing data handlers: ${err}`);
         }
       }
 
@@ -1284,7 +1419,11 @@ export class PortProxy {
     }
 
     // Initialize NetworkProxy if needed (useNetworkProxy is set but networkProxy isn't initialized)
-    if (this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0 && !this.networkProxy) {
+    if (
+      this.settings.useNetworkProxy &&
+      this.settings.useNetworkProxy.length > 0 &&
+      !this.networkProxy
+    ) {
       await this.initializeNetworkProxy();
     }
 
@@ -1295,7 +1434,11 @@ export class PortProxy {
 
       // Log ACME status
       if (this.settings.acme?.enabled) {
-        console.log(`ACME certificate management is enabled (${this.settings.acme.useProduction ? 'Production' : 'Staging'} mode)`);
+        console.log(
+          `ACME certificate management is enabled (${
+            this.settings.acme.useProduction ? 'Production' : 'Staging'
+          } mode)`
+        );
         console.log(`ACME HTTP challenge server on port ${this.settings.acme.port}`);
 
         // Register domains for ACME certificates if enabled
@@ -1416,9 +1559,12 @@ export class PortProxy {
         );
       }
 
-      // Check if this connection should be forwarded directly to NetworkProxy based on port
-      const shouldUseNetworkProxy = this.settings.useNetworkProxy && 
-                                    this.settings.useNetworkProxy.includes(localPort);
+      // Check if this connection should be forwarded directly to NetworkProxy
+      // First check port-based forwarding settings
+      let shouldUseNetworkProxy =
+        this.settings.useNetworkProxy && this.settings.useNetworkProxy.includes(localPort);
+
+      // We'll look for domain-specific settings after SNI extraction
 
       if (shouldUseNetworkProxy) {
         // For NetworkProxy ports, we want to capture the TLS handshake and forward directly
@@ -1427,9 +1573,12 @@ export class PortProxy {
         // Set an initial timeout for handshake data
         let initialTimeout: NodeJS.Timeout | null = setTimeout(() => {
           if (!initialDataReceived) {
-            console.log(
-              `[${connectionId}] Initial data timeout (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP} on port ${localPort}`
-            );
+            console.log(`[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP}`);
+            
+            // Add a grace period instead of immediate termination
+            setTimeout(() => {
+              if (!initialDataReceived) {
+                console.log(`[${connectionId}] Final initial data timeout after grace period`);
                 if (connectionRecord.incomingTerminationReason === null) {
                   connectionRecord.incomingTerminationReason = 'initial_timeout';
                   this.incrementTerminationStat('incoming', 'initial_timeout');
@@ -1437,6 +1586,8 @@ export class PortProxy {
                 socket.end();
                 this.cleanupConnection(connectionRecord, 'initial_timeout');
               }
+            }, 30000); // 30 second grace period
+          }
         }, this.settings.initialDataTimeout!);
 
         // Make sure timeout doesn't keep the process alive
@@ -1457,19 +1608,144 @@ export class PortProxy {
           initialDataReceived = true;
           connectionRecord.hasReceivedInitialData = true;
 
+          // Block non-TLS connections on port 443
+          // Always enforce TLS on standard HTTPS port
+          if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
+            console.log(
+              `[${connectionId}] Non-TLS connection detected on port 443. ` +
+                `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+            );
+            if (connectionRecord.incomingTerminationReason === null) {
+              connectionRecord.incomingTerminationReason = 'non_tls_blocked';
+              this.incrementTerminationStat('incoming', 'non_tls_blocked');
+            }
+            socket.end();
+            this.cleanupConnection(connectionRecord, 'non_tls_blocked');
+            return;
+          }
+
           // Check if this looks like a TLS handshake
           if (SniHandler.isTlsHandshake(chunk)) {
             connectionRecord.isTLS = true;
 
-            // Forward directly to NetworkProxy without SNI processing
+            // Check for TLS ClientHello with either no SNI or session tickets
+            if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+              // Extract SNI first
+              const extractedSNI = SniHandler.extractSNI(
+                chunk,
+                this.settings.enableTlsDebugLogging
+              );
+              const hasSNI = !!extractedSNI;
+
+              // Analyze for session resumption attempt
+              const resumptionInfo = SniHandler.hasSessionResumption(
+                chunk,
+                this.settings.enableTlsDebugLogging
+              );
+
+              // Always log for debugging purposes
+              console.log(
+                `[${connectionId}] TLS ClientHello detected with allowSessionTicket=false. ` +
+                  `Has SNI: ${hasSNI ? 'Yes' : 'No'}, ` +
+                  `SNI value: ${extractedSNI || 'None'}, ` +
+                  `Has session resumption: ${resumptionInfo.isResumption ? 'Yes' : 'No'}`
+              );
+
+              // Block if this is a connection with session resumption but no SNI
+              if (resumptionInfo.isResumption && !hasSNI) {
+                console.log(
+                  `[${connectionId}] Session resumption detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
+                    `Terminating connection to force new TLS handshake.`
+                );
+                if (connectionRecord.incomingTerminationReason === null) {
+                  connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
+                  this.incrementTerminationStat('incoming', 'session_ticket_blocked');
+                }
+                socket.end();
+                this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
+                return;
+              }
+
+              // Also block if this is a TLS connection without SNI when allowSessionTicket is false
+              // This forces clients to send SNI which helps with routing
+              if (!hasSNI && localPort === 443) {
+                console.log(
+                  `[${connectionId}] TLS ClientHello detected on port 443 without SNI and allowSessionTicket=false. ` +
+                    `Terminating connection to force proper SNI in handshake.`
+                );
+                if (connectionRecord.incomingTerminationReason === null) {
+                  connectionRecord.incomingTerminationReason = 'no_sni_blocked';
+                  this.incrementTerminationStat('incoming', 'no_sni_blocked');
+                }
+                socket.end();
+                this.cleanupConnection(connectionRecord, 'no_sni_blocked');
+                return;
+              }
+            }
+
+            // Try to extract SNI for domain-specific NetworkProxy handling
+            const connInfo = {
+              sourceIp: remoteIP,
+              sourcePort: socket.remotePort || 0,
+              destIp: socket.localAddress || '',
+              destPort: socket.localPort || 0,
+            };
+
+            // Extract SNI to check for domain-specific NetworkProxy settings
+            const serverName = SniHandler.processTlsPacket(
+              chunk,
+              connInfo,
+              this.settings.enableTlsDebugLogging
+            );
+
+            if (serverName) {
+              // If we got an SNI, check for domain-specific NetworkProxy settings
+              const domainConfig = this.settings.domainConfigs.find((config) =>
+                config.domains.some((d) => plugins.minimatch(serverName, d))
+              );
+
+              // Save domain config and SNI in connection record
+              connectionRecord.domainConfig = domainConfig;
+              connectionRecord.lockedDomain = serverName;
+
+              // Use domain-specific NetworkProxy port if configured
+              if (domainConfig?.useNetworkProxy) {
+                const networkProxyPort =
+                  domainConfig.networkProxyPort || this.settings.networkProxyPort;
+
+                if (this.settings.enableDetailedLogging) {
+                  console.log(
+                    `[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}`
+                  );
+                }
+
+                // Forward to NetworkProxy with domain-specific port
+                this.forwardToNetworkProxy(
+                  connectionId,
+                  socket,
+                  connectionRecord,
+                  chunk,
+                  networkProxyPort
+                );
+                return;
+              }
+            }
+
+            // Forward directly to NetworkProxy without domain-specific settings
             this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk);
           } else {
             // If not TLS, use normal direct connection
             console.log(`[${connectionId}] Non-TLS connection on NetworkProxy port ${localPort}`);
-            this.setupDirectConnection(connectionId, socket, connectionRecord, undefined, undefined, chunk);
+            this.setupDirectConnection(
+              connectionId,
+              socket,
+              connectionRecord,
+              undefined,
+              undefined,
+              chunk
+            );
           }
         });
-        
       } else {
         // For non-NetworkProxy ports, proceed with normal processing
 
@@ -1491,9 +1767,12 @@ export class PortProxy {
         if (this.settings.sniEnabled) {
           initialTimeout = setTimeout(() => {
             if (!initialDataReceived) {
-              console.log(
-                `[${connectionId}] Initial data timeout (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP} on port ${localPort}`
-              );
+              console.log(`[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP}`);
+              
+              // Add a grace period instead of immediate termination
+              setTimeout(() => {
+                if (!initialDataReceived) {
+                  console.log(`[${connectionId}] Final initial data timeout after grace period`);
                   if (connectionRecord.incomingTerminationReason === null) {
                     connectionRecord.incomingTerminationReason = 'initial_timeout';
                     this.incrementTerminationStat('incoming', 'initial_timeout');
@@ -1501,6 +1780,8 @@ export class PortProxy {
                   socket.end();
                   this.cleanupConnection(connectionRecord, 'initial_timeout');
                 }
+              }, 30000); // 30 second grace period
+            }
           }, this.settings.initialDataTimeout!);
 
           // Make sure timeout doesn't keep the process alive
@@ -1528,7 +1809,15 @@ export class PortProxy {
                 `[${connectionId}] TLS handshake detected from ${remoteIP}, ${chunk.length} bytes`
               );
               // Try to extract SNI and log detailed debug info
-              SniHandler.extractSNIWithResumptionSupport(chunk, true);
+              // Create connection info for debug logging
+              const debugConnInfo = {
+                sourceIp: remoteIP,
+                sourcePort: socket.remotePort || 0,
+                destIp: socket.localAddress || '',
+                destPort: socket.localPort || 0,
+              };
+
+              SniHandler.extractSNIWithResumptionSupport(chunk, debugConnInfo, true);
             }
           }
         });
@@ -1580,6 +1869,30 @@ export class PortProxy {
           // Save domain config in connection record
           connectionRecord.domainConfig = domainConfig;
 
+          // Check if this domain should use NetworkProxy (domain-specific setting)
+          if (domainConfig?.useNetworkProxy && this.networkProxy) {
+            if (this.settings.enableDetailedLogging) {
+              console.log(
+                `[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`
+              );
+            }
+
+            const networkProxyPort =
+              domainConfig.networkProxyPort || this.settings.networkProxyPort;
+
+            if (initialChunk && connectionRecord.isTLS) {
+              // For TLS connections with initial chunk, forward to NetworkProxy
+              this.forwardToNetworkProxy(
+                connectionId,
+                socket,
+                connectionRecord,
+                initialChunk,
+                networkProxyPort // Pass the domain-specific NetworkProxy port if configured
+              );
+              return; // Skip normal connection setup
+            }
+          }
+
           // IP validation is skipped if allowedIPs is empty
           if (domainConfig) {
             const effectiveAllowedIPs: string[] = [
@@ -1603,7 +1916,10 @@ export class PortProxy {
                 )}`
               );
             }
-          } else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
+          } else if (
+            this.settings.defaultAllowedIPs &&
+            this.settings.defaultAllowedIPs.length > 0
+          ) {
             if (
               !isGlobIPAllowed(
                 remoteIP,
@@ -1716,6 +2032,7 @@ export class PortProxy {
           initialDataReceived = false;
 
           socket.once('data', (chunk: Buffer) => {
+            // Clear timeout immediately
             if (initialTimeout) {
               clearTimeout(initialTimeout);
               initialTimeout = null;
@@ -1723,6 +2040,39 @@ export class PortProxy {
             
             initialDataReceived = true;
             
+            // Add debugging ONLY if detailed logging is enabled - avoid heavy processing
+            if (this.settings.enableTlsDebugLogging && SniHandler.isClientHello(chunk)) {
+              // Move heavy debug logging to a separate async task to not block the flow
+              setImmediate(() => {
+                try {
+                  const resumptionInfo = SniHandler.hasSessionResumption(chunk, true);
+                  const standardSNI = SniHandler.extractSNI(chunk, true);
+                  const pskSNI = SniHandler.extractSNIFromPSKExtension(chunk, true);
+                  
+                  console.log(`[${connectionId}] ClientHello details: isResumption=${resumptionInfo.isResumption}, hasSNI=${resumptionInfo.hasSNI}`);
+                  console.log(`[${connectionId}] SNI extraction results: standardSNI=${standardSNI || 'none'}, pskSNI=${pskSNI || 'none'}`);
+                } catch (err) {
+                  console.log(`[${connectionId}] Error in debug logging: ${err}`);
+                }
+              });
+            }
+
+            // Block non-TLS connections on port 443
+            // Always enforce TLS on standard HTTPS port
+            if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
+              console.log(
+                `[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` +
+                  `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+              );
+              if (connectionRecord.incomingTerminationReason === null) {
+                connectionRecord.incomingTerminationReason = 'non_tls_blocked';
+                this.incrementTerminationStat('incoming', 'non_tls_blocked');
+              }
+              socket.end();
+              this.cleanupConnection(connectionRecord, 'non_tls_blocked');
+              return;
+            }
+
             // Try to extract SNI
             let serverName = '';
 
@@ -1735,7 +2085,68 @@ export class PortProxy {
                 );
               }
 
-              serverName = SniHandler.extractSNIWithResumptionSupport(chunk, this.settings.enableTlsDebugLogging) || '';
+              // Check for session tickets if allowSessionTicket is disabled
+              if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+                // Analyze for session resumption attempt
+                const resumptionInfo = SniHandler.hasSessionResumption(
+                  chunk,
+                  this.settings.enableTlsDebugLogging
+                );
+
+                if (resumptionInfo.isResumption) {
+                  // Always log resumption attempt for easier debugging
+                  // Try to extract SNI for logging
+                  const extractedSNI = SniHandler.extractSNI(
+                    chunk,
+                    this.settings.enableTlsDebugLogging
+                  );
+                  console.log(
+                    `[${connectionId}] Session resumption detected in SNI handler. ` +
+                      `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
+                      `SNI value: ${extractedSNI || 'None'}, ` +
+                      `allowSessionTicket: ${this.settings.allowSessionTicket}`
+                  );
+
+                  // Block if there's session resumption without SNI
+                  if (!resumptionInfo.hasSNI) {
+                    console.log(
+                      `[${connectionId}] Session resumption detected in SNI handler without SNI and allowSessionTicket=false. ` +
+                        `Terminating connection to force new TLS handshake.`
+                    );
+                    if (connectionRecord.incomingTerminationReason === null) {
+                      connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
+                      this.incrementTerminationStat('incoming', 'session_ticket_blocked');
+                    }
+                    socket.end();
+                    this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
+                    return;
+                  } else {
+                    if (this.settings.enableDetailedLogging) {
+                      console.log(
+                        `[${connectionId}] Session resumption with SNI detected in SNI handler. ` +
+                          `Allowing connection since SNI is present.`
+                      );
+                    }
+                  }
+                }
+              }
+
+              // Create connection info object for SNI extraction
+              const connInfo = {
+                sourceIp: remoteIP,
+                sourcePort: socket.remotePort || 0,
+                destIp: socket.localAddress || '',
+                destPort: socket.localPort || 0,
+              };
+
+              // Use the new processTlsPacket method for comprehensive handling
+              serverName =
+                SniHandler.processTlsPacket(
+                  chunk,
+                  connInfo,
+                  this.settings.enableTlsDebugLogging,
+                  connectionRecord.lockedDomain // Pass any previously negotiated domain as a hint
+                ) || '';
             }
 
             // Lock the connection to the negotiated SNI.