3.11.0

changelog.md

@@ -1,5 +1,76 @@
 # Changelog
 
+## 2025-02-24 - 3.11.0 - feat(Port80Handler)
+Add automatic certificate issuance with ACME client
+
+- Implemented automatic certificate issuance using 'acme-client' for Port80Handler.
+- Converts account key and CSR from Buffers to strings for processing.
+- Implemented HTTP-01 challenge handling for certificate acquisition.
+- New certificates are fetched and added dynamically.
+
+## 2025-02-24 - 3.10.5 - fix(portproxy)
+Fix incorrect import path in test file
+
+- Change import path from '../ts/smartproxy.portproxy.js' to '../ts/classes.portproxy.js' in test/test.portproxy.ts
+
+## 2025-02-23 - 3.10.4 - fix(PortProxy)
+Refactor connection tracking to utilize unified records in PortProxy
+
+- Implemented a unified record system for tracking incoming and outgoing connections.
+- Replaced individual connection tracking sets with a Set of IConnectionRecord.
+- Improved logging of connection activities and statistics.
+
+## 2025-02-23 - 3.10.3 - fix(PortProxy)
+Refactor and optimize PortProxy for improved readability and maintainability
+
+- Simplified and clarified inline comments.
+- Optimized the extractSNI function for better readability.
+- Streamlined the cleanup process for connections in PortProxy.
+- Improved handling and logging of incoming and outgoing connections.
+
+## 2025-02-23 - 3.10.2 - fix(PortProxy)
+Fix connection handling to include timeouts for SNI-enabled connections.
+
+- Added initial data timeout for SNI-enabled connections to improve connection handling.
+- Cleared timeout once data is received to prevent premature socket closure.
+
+## 2025-02-22 - 3.10.1 - fix(PortProxy)
+Improve socket cleanup logic to prevent potential resource leaks
+
+- Updated socket cleanup in PortProxy to ensure sockets are forcefully destroyed if not already destroyed.
+
+## 2025-02-22 - 3.10.0 - feat(smartproxy.portproxy)
+Enhance PortProxy with detailed connection statistics and termination tracking
+
+- Added tracking of termination statistics for incoming and outgoing connections
+- Enhanced logging to include detailed termination statistics
+- Introduced helpers to update and log termination stats
+- Retained detailed connection duration and active connection logging
+
+## 2025-02-22 - 3.9.4 - fix(PortProxy)
+Ensure proper cleanup on connection rejection in PortProxy
+
+- Added cleanup calls after socket end in connection rejection scenarios within PortProxy
+
+## 2025-02-21 - 3.9.3 - fix(PortProxy)
+Fix handling of optional outgoing socket in PortProxy
+
+- Refactored the cleanUpSockets function to correctly handle cases where the outgoing socket may be undefined.
+- Ensured correct handling of socket events with non-null assertions where applicable.
+- Improved robustness in connection establishment and cleanup processes.
+
+## 2025-02-21 - 3.9.2 - fix(PortProxy)
+Improve timeout handling for port proxy connections
+
+- Added console logging for both incoming and outgoing side timeouts in the PortProxy class.
+- Updated the timeout event handlers to ensure proper cleanup of connections.
+
+## 2025-02-21 - 3.9.1 - fix(dependencies)
+Ensure correct ordering of dependencies and improve logging format.
+
+- Reorder dependencies in package.json for better readability.
+- Use pretty-ms for displaying time durations in logs.
+
 ## 2025-02-21 - 3.9.0 - feat(smartproxy.portproxy)
 Add logging of connection durations to PortProxy
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.9.0",
+  "version": "3.11.0",
   "private": false,
   "description": "a proxy for handling high workloads of proxying",
   "main": "dist_ts/index.js",
@@ -29,10 +29,12 @@
     "@push.rocks/smartrequest": "^2.0.23",
     "@push.rocks/smartstring": "^4.0.15",
     "@tsclass/tsclass": "^4.4.0",
+    "@types/minimatch": "^5.1.2",
     "@types/ws": "^8.5.14",
-    "ws": "^8.18.0",
+    "acme-client": "^5.4.0",
     "minimatch": "^9.0.3",
-    "@types/minimatch": "^5.1.2"
+    "pretty-ms": "^9.2.0",
+    "ws": "^8.18.0"
   },
   "files": [
     "ts/**/*",

pnpm-lock.yaml

@@ -32,9 +32,15 @@ importers:
       '@types/ws':
         specifier: ^8.5.14
         version: 8.5.14
+      acme-client:
+        specifier: ^5.4.0
+        version: 5.4.0
       minimatch:
         specifier: ^9.0.3
         version: 9.0.5
+      pretty-ms:
+        specifier: ^9.2.0
+        version: 9.2.0
       ws:
         specifier: ^8.18.0
         version: 8.18.0
@@ -680,6 +686,39 @@ packages:
   '@pdf-lib/upng@1.0.1':
     resolution: {integrity: sha512-dQK2FUMQtowVP00mtIksrlZhdFXQZPC+taih1q4CvPZ5vqdxR/LKBaFg0oAfzd1GlHZXXSPdQfzQnt+ViGvEIQ==}
 
+  '@peculiar/asn1-cms@2.3.15':
+    resolution: {integrity: sha512-B+DoudF+TCrxoJSTjjcY8Mmu+lbv8e7pXGWrhNp2/EGJp9EEcpzjBCar7puU57sGifyzaRVM03oD5L7t7PghQg==}
+
+  '@peculiar/asn1-csr@2.3.15':
+    resolution: {integrity: sha512-caxAOrvw2hUZpxzhz8Kp8iBYKsHbGXZPl2KYRMIPvAfFateRebS3136+orUpcVwHRmpXWX2kzpb6COlIrqCumA==}
+
+  '@peculiar/asn1-ecc@2.3.15':
+    resolution: {integrity: sha512-/HtR91dvgog7z/WhCVdxZJ/jitJuIu8iTqiyWVgRE9Ac5imt2sT/E4obqIVGKQw7PIy+X6i8lVBoT6wC73XUgA==}
+
+  '@peculiar/asn1-pfx@2.3.15':
+    resolution: {integrity: sha512-E3kzQe3J2xV9DP6SJS4X6/N1e4cYa2xOAK46VtvpaRk8jlheNri8v0rBezKFVPB1rz/jW8npO+u1xOvpATFMWg==}
+
+  '@peculiar/asn1-pkcs8@2.3.15':
+    resolution: {integrity: sha512-/PuQj2BIAw1/v76DV1LUOA6YOqh/UvptKLJHtec/DQwruXOCFlUo7k6llegn8N5BTeZTWMwz5EXruBw0Q10TMg==}
+
+  '@peculiar/asn1-pkcs9@2.3.15':
+    resolution: {integrity: sha512-yiZo/1EGvU1KiQUrbcnaPGWc0C7ElMMskWn7+kHsCFm+/9fU0+V1D/3a5oG0Jpy96iaXggQpA9tzdhnYDgjyFg==}
+
+  '@peculiar/asn1-rsa@2.3.15':
+    resolution: {integrity: sha512-p6hsanvPhexRtYSOHihLvUUgrJ8y0FtOM97N5UEpC+VifFYyZa0iZ5cXjTkZoDwxJ/TTJ1IJo3HVTB2JJTpXvg==}
+
+  '@peculiar/asn1-schema@2.3.15':
+    resolution: {integrity: sha512-QPeD8UA8axQREpgR5UTAfu2mqQmm97oUqahDtNdBcfj3qAnoXzFdQW+aNf/tD2WVXF8Fhmftxoj0eMIT++gX2w==}
+
+  '@peculiar/asn1-x509-attr@2.3.15':
+    resolution: {integrity: sha512-TWJVJhqc+IS4MTEML3l6W1b0sMowVqdsnI4dnojg96LvTuP8dga9f76fjP07MUuss60uSyT2ckoti/2qHXA10A==}
+
+  '@peculiar/asn1-x509@2.3.15':
+    resolution: {integrity: sha512-0dK5xqTqSLaxv1FHXIcd4Q/BZNuopg+u1l23hT9rOmQ1g4dNtw0g/RnEi+TboB0gOwGtrWn269v27cMgchFIIg==}
+
+  '@peculiar/x509@1.12.3':
+    resolution: {integrity: sha512-+Mzq+W7cNEKfkNZzyLl6A6ffqc3r21HGZUezgfKxpZrkORfOqgRXnS80Zu0IV6a9Ue9QBJeKD7kN0iWfc3bhRQ==}
+
   '@pkgjs/parseargs@0.11.0':
     resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==}
     engines: {node: '>=14'}
@@ -1560,6 +1599,10 @@ packages:
     resolution: {integrity: sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==}
     engines: {node: '>= 0.6'}
 
+  acme-client@5.4.0:
+    resolution: {integrity: sha512-mORqg60S8iML6XSmVjqjGHJkINrCGLMj2QvDmFzI9vIlv1RGlyjmw3nrzaINJjkNsYXC41XhhD5pfy7CtuGcbA==}
+    engines: {node: '>= 16'}
+
   agent-base@6.0.2:
     resolution: {integrity: sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==}
     engines: {node: '>= 6.0.0'}
@@ -1623,6 +1666,10 @@ packages:
     resolution: {integrity: sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw==}
     engines: {node: '>=8'}
 
+  asn1js@3.0.5:
+    resolution: {integrity: sha512-FVnvrKJwpt9LP2lAMl8qZswRNm3T4q9CON+bxldk2iwk3FFpuwhx2FfinyitizWHsVYyaY+y5JzDR0rCMV5yTQ==}
+    engines: {node: '>=12.0.0'}
+
   astral-regex@2.0.0:
     resolution: {integrity: sha512-Z7tMw1ytTXt5jqMcOP+OQteU1VuNK9Y02uuJtKQ1Sv69jXQKKg5cibLwGJow8yzZP+eAc18EmLGPal0bp36rvQ==}
     engines: {node: '>=8'}
@@ -1640,6 +1687,9 @@ packages:
     resolution: {integrity: sha512-RE3mdQ7P3FRSe7eqCWoeQ/Z9QXrtniSjp1wUjt5nRC3WIpz5rSCve6o3fsZ2aCpJtrZjSZgjwXAoTO5k4tEI0w==}
     engines: {node: '>=4'}
 
+  axios@1.7.9:
+    resolution: {integrity: sha512-LhLcE7Hbiryz8oMDdDptSrWowmB4Bl6RCt6sIJKpRB4XtVf0iEgewX3au/pJqm+Py1kCASkb/FFKjxQaLtxJvw==}
+
   b4a@1.6.7:
     resolution: {integrity: sha512-OnAYlL5b7LEkALw87fUVafQw5rVR9RjwGd4KUwNQ6DrrNmaVaUCgLipfVlzrPQ4tWOR9P0IXGNOx50jYCCdSJg==}
 
@@ -3460,6 +3510,13 @@ packages:
     resolution: {integrity: sha512-+vZPU8iBSdCx1Kn5hHas80fyo0TiVyMeqLGv/1dygX2HKhAZjO9YThadbRTCoTYq0yWw+w/CysldPsEekDtjDQ==}
     engines: {node: '>=14.1.0'}
 
+  pvtsutils@1.3.6:
+    resolution: {integrity: sha512-PLgQXQ6H2FWCaeRak8vvk1GW462lMxB5s3Jm673N82zI4vqtVUPuZdffdZbPDFRoU8kAhItWFtPCWiPpp4/EDg==}
+
+  pvutils@1.1.3:
+    resolution: {integrity: sha512-pMpnA0qRdFp32b1sJl1wOJNxZLQ2cbQx+k6tjNtZ8CpvVhNqEPRgivZ2WOUev2YMajecdH7ctUPDvEe87nariQ==}
+    engines: {node: '>=6.0.0'}
+
   qs@6.13.0:
     resolution: {integrity: sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==}
     engines: {node: '>=0.6'}
@@ -3505,6 +3562,9 @@ packages:
     resolution: {integrity: sha512-h80JrZu/MHUZCyHu5ciuoI0+WxsCxzxJTILn6Fs8rxSnFPh+UVHYfeIxK1nVGugMqkfC4vJcBOYbkfkwYK0+gw==}
     engines: {node: '>= 14.18.0'}
 
+  reflect-metadata@0.2.2:
+    resolution: {integrity: sha512-urBwgfrvVP/eAyXx4hluJivBKzuEbSQs9rKWCrCkbSxNv8mxPcUZKeuoF3Uy4mJl3Lwprp6yy5/39VWigZ4K6Q==}
+
   regenerator-runtime@0.14.1:
     resolution: {integrity: sha512-dYnhHh0nJoMfnkZs6GmmhFknAGRrLznOu5nc9ML+EJxGvrx6H7teuevqVqCuPcPK//3eDrrjQhehXVx9cnkGdw==}
 
@@ -3894,6 +3954,10 @@ packages:
     engines: {node: '>=18.0.0'}
     hasBin: true
 
+  tsyringe@4.8.0:
+    resolution: {integrity: sha512-YB1FG+axdxADa3ncEtRnQCFq/M0lALGLxSZeVNbTU8NqhOVc51nnv2CISTcvc1kyv6EGPtXVr0v6lWeDxiijOA==}
+    engines: {node: '>= 6.0.0'}
+
   turndown-plugin-gfm@1.0.2:
     resolution: {integrity: sha512-vwz9tfvF7XN/jE0dGoBei3FXWuvll78ohzCZQuOb+ZjWrs3a0XhQVomJEb2Qh4VHTPNRO4GPZh0V7VRbiWwkRg==}
 
@@ -5209,6 +5273,96 @@ snapshots:
     dependencies:
       pako: 1.0.11
 
+  '@peculiar/asn1-cms@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      '@peculiar/asn1-x509-attr': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-csr@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-ecc@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-pfx@2.3.15':
+    dependencies:
+      '@peculiar/asn1-cms': 2.3.15
+      '@peculiar/asn1-pkcs8': 2.3.15
+      '@peculiar/asn1-rsa': 2.3.15
+      '@peculiar/asn1-schema': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-pkcs8@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-pkcs9@2.3.15':
+    dependencies:
+      '@peculiar/asn1-cms': 2.3.15
+      '@peculiar/asn1-pfx': 2.3.15
+      '@peculiar/asn1-pkcs8': 2.3.15
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      '@peculiar/asn1-x509-attr': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-rsa@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-schema@2.3.15':
+    dependencies:
+      asn1js: 3.0.5
+      pvtsutils: 1.3.6
+      tslib: 2.8.1
+
+  '@peculiar/asn1-x509-attr@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      asn1js: 3.0.5
+      tslib: 2.8.1
+
+  '@peculiar/asn1-x509@2.3.15':
+    dependencies:
+      '@peculiar/asn1-schema': 2.3.15
+      asn1js: 3.0.5
+      pvtsutils: 1.3.6
+      tslib: 2.8.1
+
+  '@peculiar/x509@1.12.3':
+    dependencies:
+      '@peculiar/asn1-cms': 2.3.15
+      '@peculiar/asn1-csr': 2.3.15
+      '@peculiar/asn1-ecc': 2.3.15
+      '@peculiar/asn1-pkcs9': 2.3.15
+      '@peculiar/asn1-rsa': 2.3.15
+      '@peculiar/asn1-schema': 2.3.15
+      '@peculiar/asn1-x509': 2.3.15
+      pvtsutils: 1.3.6
+      reflect-metadata: 0.2.2
+      tslib: 2.8.1
+      tsyringe: 4.8.0
+
   '@pkgjs/parseargs@0.11.0':
     optional: true
 
@@ -6780,6 +6934,16 @@ snapshots:
       mime-types: 2.1.35
       negotiator: 0.6.3
 
+  acme-client@5.4.0:
+    dependencies:
+      '@peculiar/x509': 1.12.3
+      asn1js: 3.0.5
+      axios: 1.7.9(debug@4.4.0)
+      debug: 4.4.0
+      node-forge: 1.3.1
+    transitivePeerDependencies:
+      - supports-color
+
   agent-base@6.0.2:
     dependencies:
       debug: 4.3.4
@@ -6831,6 +6995,12 @@ snapshots:
 
   array-union@2.1.0: {}
 
+  asn1js@3.0.5:
+    dependencies:
+      pvtsutils: 1.3.6
+      pvutils: 1.1.3
+      tslib: 2.8.1
+
   astral-regex@2.0.0: {}
 
   async-mutex@0.3.2:
@@ -6843,6 +7013,14 @@ snapshots:
 
   axe-core@4.10.2: {}
 
+  axios@1.7.9(debug@4.4.0):
+    dependencies:
+      follow-redirects: 1.15.9(debug@4.4.0)
+      form-data: 4.0.1
+      proxy-from-env: 1.1.0
+    transitivePeerDependencies:
+      - debug
+
   b4a@1.6.7: {}
 
   bail@2.0.2: {}
@@ -8951,6 +9129,12 @@ snapshots:
       - supports-color
       - utf-8-validate
 
+  pvtsutils@1.3.6:
+    dependencies:
+      tslib: 2.8.1
+
+  pvutils@1.1.3: {}
+
   qs@6.13.0:
     dependencies:
       side-channel: 1.1.0
@@ -9005,6 +9189,8 @@ snapshots:
 
   readdirp@4.1.1: {}
 
+  reflect-metadata@0.2.2: {}
+
   regenerator-runtime@0.14.1: {}
 
   registry-auth-token@5.0.3:
@@ -9485,6 +9671,10 @@ snapshots:
     optionalDependencies:
       fsevents: 2.3.3
 
+  tsyringe@4.8.0:
+    dependencies:
+      tslib: 1.14.1
+
   turndown-plugin-gfm@1.0.2: {}
 
   turndown@7.2.0:

test/test.portproxy.ts

@@ -1,6 +1,6 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import * as net from 'net';
-import { PortProxy } from '../ts/smartproxy.portproxy.js';
+import { PortProxy } from '../ts/classes.portproxy.js';
 
 let testServer: net.Server;
 let portProxy: PortProxy;

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.9.0',
+  version: '3.11.0',
   description: 'a proxy for handling high workloads of proxying'
 }

ts/classes.networkproxy.ts

@@ -1,5 +1,5 @@
 import * as plugins from './plugins.js';
-import { ProxyRouter } from './smartproxy.classes.router.js';
+import { ProxyRouter } from './classes.router.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';

ts/classes.port80handler.ts

@@ -0,0 +1,214 @@
+import * as http from 'http';
+import * as acme from 'acme-client';
+
+interface IDomainCertificate {
+  certObtained: boolean;
+  obtainingInProgress: boolean;
+  certificate?: string;
+  privateKey?: string;
+  challengeToken?: string;
+  challengeKeyAuthorization?: string;
+}
+
+export class Port80Handler {
+  private domainCertificates: Map<string, IDomainCertificate>;
+  private server: http.Server;
+  private acmeClient: acme.Client | null = null;
+  private accountKey: string | null = null;
+
+  constructor() {
+    this.domainCertificates = new Map<string, IDomainCertificate>();
+
+    // Create and start an HTTP server on port 80.
+    this.server = http.createServer((req, res) => this.handleRequest(req, res));
+    this.server.listen(80, () => {
+      console.log('Port80Handler is listening on port 80');
+    });
+  }
+
+  /**
+   * Adds a domain to be managed.
+   * @param domain The domain to add.
+   */
+  public addDomain(domain: string): void {
+    if (!this.domainCertificates.has(domain)) {
+      this.domainCertificates.set(domain, { certObtained: false, obtainingInProgress: false });
+      console.log(`Domain added: ${domain}`);
+    }
+  }
+
+  /**
+   * Removes a domain from management.
+   * @param domain The domain to remove.
+   */
+  public removeDomain(domain: string): void {
+    if (this.domainCertificates.delete(domain)) {
+      console.log(`Domain removed: ${domain}`);
+    }
+  }
+
+  /**
+   * Lazy initialization of the ACME client.
+   * Uses Let’s Encrypt’s production directory (for testing you might switch to staging).
+   */
+  private async getAcmeClient(): Promise<acme.Client> {
+    if (this.acmeClient) {
+      return this.acmeClient;
+    }
+    // Generate a new account key and convert Buffer to string.
+    this.accountKey = (await acme.forge.createPrivateKey()).toString();
+    this.acmeClient = new acme.Client({
+      directoryUrl: acme.directory.letsencrypt.production, // Use production for a real certificate
+      // For testing, you could use:
+      // directoryUrl: acme.directory.letsencrypt.staging,
+      accountKey: this.accountKey,
+    });
+    // Create a new account. Make sure to update the contact email.
+    await this.acmeClient.createAccount({
+      termsOfServiceAgreed: true,
+      contact: ['mailto:admin@example.com'],
+    });
+    return this.acmeClient;
+  }
+
+  /**
+   * Handles incoming HTTP requests on port 80.
+   * If the request is for an ACME challenge, it responds with the key authorization.
+   * If the domain has a certificate, it redirects to HTTPS; otherwise, it initiates certificate issuance.
+   */
+  private handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
+    const hostHeader = req.headers.host;
+    if (!hostHeader) {
+      res.statusCode = 400;
+      res.end('Bad Request: Host header is missing');
+      return;
+    }
+    // Extract domain (ignoring any port in the Host header)
+    const domain = hostHeader.split(':')[0];
+
+    // If the request is for an ACME HTTP-01 challenge, handle it.
+    if (req.url && req.url.startsWith('/.well-known/acme-challenge/')) {
+      this.handleAcmeChallenge(req, res, domain);
+      return;
+    }
+
+    if (!this.domainCertificates.has(domain)) {
+      res.statusCode = 404;
+      res.end('Domain not configured');
+      return;
+    }
+
+    const domainInfo = this.domainCertificates.get(domain)!;
+
+    // If certificate exists, redirect to HTTPS on port 443.
+    if (domainInfo.certObtained) {
+      const redirectUrl = `https://${domain}:443${req.url}`;
+      res.statusCode = 301;
+      res.setHeader('Location', redirectUrl);
+      res.end(`Redirecting to ${redirectUrl}`);
+    } else {
+      // Trigger certificate issuance if not already running.
+      if (!domainInfo.obtainingInProgress) {
+        domainInfo.obtainingInProgress = true;
+        this.obtainCertificate(domain).catch(err => {
+          console.error(`Error obtaining certificate for ${domain}:`, err);
+        });
+      }
+      res.statusCode = 503;
+      res.end('Certificate issuance in progress, please try again later.');
+    }
+  }
+
+  /**
+   * Serves the ACME HTTP-01 challenge response.
+   */
+  private handleAcmeChallenge(req: http.IncomingMessage, res: http.ServerResponse, domain: string): void {
+    const domainInfo = this.domainCertificates.get(domain);
+    if (!domainInfo) {
+      res.statusCode = 404;
+      res.end('Domain not configured');
+      return;
+    }
+    // The token is the last part of the URL.
+    const urlParts = req.url?.split('/');
+    const token = urlParts ? urlParts[urlParts.length - 1] : '';
+    if (domainInfo.challengeToken === token && domainInfo.challengeKeyAuthorization) {
+      res.statusCode = 200;
+      res.setHeader('Content-Type', 'text/plain');
+      res.end(domainInfo.challengeKeyAuthorization);
+      console.log(`Served ACME challenge response for ${domain}`);
+    } else {
+      res.statusCode = 404;
+      res.end('Challenge token not found');
+    }
+  }
+
+  /**
+   * Uses acme-client to perform a full ACME HTTP-01 challenge to obtain a certificate.
+   * On success, it stores the certificate and key in memory and clears challenge data.
+   */
+  private async obtainCertificate(domain: string): Promise<void> {
+    try {
+      const client = await this.getAcmeClient();
+
+      // Create a new order for the domain.
+      const order = await client.createOrder({
+        identifiers: [{ type: 'dns', value: domain }],
+      });
+
+      // Get the authorizations for the order.
+      const authorizations = await client.getAuthorizations(order);
+      for (const authz of authorizations) {
+        const challenge = authz.challenges.find(ch => ch.type === 'http-01');
+        if (!challenge) {
+          throw new Error('HTTP-01 challenge not found');
+        }
+        // Get the key authorization for the challenge.
+        const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
+        const domainInfo = this.domainCertificates.get(domain)!;
+        domainInfo.challengeToken = challenge.token;
+        domainInfo.challengeKeyAuthorization = keyAuthorization;
+
+        // Notify the ACME server that the challenge is ready.
+        // The acme-client examples show that verifyChallenge takes three arguments:
+        // (authorization, challenge, keyAuthorization). However, the official TypeScript
+        // types appear to be out-of-sync. As a workaround, we cast client to 'any'.
+        await (client as any).verifyChallenge(authz, challenge, keyAuthorization);
+
+        await client.completeChallenge(challenge);
+        // Wait until the challenge is validated.
+        await client.waitForValidStatus(challenge);
+        console.log(`HTTP-01 challenge completed for ${domain}`);
+      }
+
+      // Generate a CSR and a new private key for the domain.
+      // Convert the resulting Buffers to strings.
+      const [csrBuffer, privateKeyBuffer] = await acme.forge.createCsr({
+        commonName: domain,
+      });
+      const csr = csrBuffer.toString();
+      const privateKey = privateKeyBuffer.toString();
+
+      // Finalize the order and obtain the certificate.
+      await client.finalizeOrder(order, csr);
+      const certificate = await client.getCertificate(order);
+
+      const domainInfo = this.domainCertificates.get(domain)!;
+      domainInfo.certificate = certificate;
+      domainInfo.privateKey = privateKey;
+      domainInfo.certObtained = true;
+      domainInfo.obtainingInProgress = false;
+      delete domainInfo.challengeToken;
+      delete domainInfo.challengeKeyAuthorization;
+
+      console.log(`Certificate obtained for ${domain}`);
+      // In a production system, persist the certificate and key and reload your TLS server.
+    } catch (error) {
+      console.error(`Error during certificate issuance for ${domain}:`, error);
+      const domainInfo = this.domainCertificates.get(domain);
+      if (domainInfo) {
+        domainInfo.obtainingInProgress = false;
+      }
+    }
+  }
+}

ts/classes.portproxy.ts

@@ -0,0 +1,352 @@
+import * as plugins from './plugins.js';
+
+export interface IDomainConfig {
+  domain: string;         // Glob pattern for domain
+  allowedIPs: string[];   // Glob patterns for allowed IPs
+  targetIP?: string;      // Optional target IP for this domain
+}
+
+export interface IProxySettings extends plugins.tls.TlsOptions {
+  fromPort: number;
+  toPort: number;
+  toHost?: string; // Target host to proxy to, defaults to 'localhost'
+  domains: IDomainConfig[];
+  sniEnabled?: boolean;
+  defaultAllowedIPs?: string[];
+  preserveSourceIP?: boolean;
+}
+
+/**
+ * Extracts the SNI (Server Name Indication) from a TLS ClientHello packet.
+ * @param buffer - Buffer containing the TLS ClientHello.
+ * @returns The server name if found, otherwise undefined.
+ */
+function extractSNI(buffer: Buffer): string | undefined {
+  let offset = 0;
+  if (buffer.length < 5) return undefined;
+
+  const recordType = buffer.readUInt8(0);
+  if (recordType !== 22) return undefined; // 22 = handshake
+
+  const recordLength = buffer.readUInt16BE(3);
+  if (buffer.length < 5 + recordLength) return undefined;
+
+  offset = 5;
+  const handshakeType = buffer.readUInt8(offset);
+  if (handshakeType !== 1) return undefined; // 1 = ClientHello
+
+  offset += 4; // Skip handshake header (type + length)
+  offset += 2 + 32; // Skip client version and random
+
+  const sessionIDLength = buffer.readUInt8(offset);
+  offset += 1 + sessionIDLength; // Skip session ID
+
+  const cipherSuitesLength = buffer.readUInt16BE(offset);
+  offset += 2 + cipherSuitesLength; // Skip cipher suites
+
+  const compressionMethodsLength = buffer.readUInt8(offset);
+  offset += 1 + compressionMethodsLength; // Skip compression methods
+
+  if (offset + 2 > buffer.length) return undefined;
+  const extensionsLength = buffer.readUInt16BE(offset);
+  offset += 2;
+  const extensionsEnd = offset + extensionsLength;
+
+  while (offset + 4 <= extensionsEnd) {
+    const extensionType = buffer.readUInt16BE(offset);
+    const extensionLength = buffer.readUInt16BE(offset + 2);
+    offset += 4;
+    if (extensionType === 0x0000) { // SNI extension
+      if (offset + 2 > buffer.length) return undefined;
+      const sniListLength = buffer.readUInt16BE(offset);
+      offset += 2;
+      const sniListEnd = offset + sniListLength;
+      while (offset + 3 < sniListEnd) {
+        const nameType = buffer.readUInt8(offset++);
+        const nameLen = buffer.readUInt16BE(offset);
+        offset += 2;
+        if (nameType === 0) { // host_name
+          if (offset + nameLen > buffer.length) return undefined;
+          return buffer.toString('utf8', offset, offset + nameLen);
+        }
+        offset += nameLen;
+      }
+      break;
+    } else {
+      offset += extensionLength;
+    }
+  }
+  return undefined;
+}
+
+interface IConnectionRecord {
+  incoming: plugins.net.Socket;
+  outgoing: plugins.net.Socket | null;
+  incomingStartTime: number;
+  outgoingStartTime?: number;
+  connectionClosed: boolean;
+}
+
+export class PortProxy {
+  netServer: plugins.net.Server;
+  settings: IProxySettings;
+  // Unified record tracking each connection pair.
+  private connectionRecords: Set<IConnectionRecord> = new Set();
+  private connectionLogger: NodeJS.Timeout | null = null;
+
+  private terminationStats: {
+    incoming: Record<string, number>;
+    outgoing: Record<string, number>;
+  } = {
+    incoming: {},
+    outgoing: {},
+  };
+
+  constructor(settings: IProxySettings) {
+    this.settings = {
+      ...settings,
+      toHost: settings.toHost || 'localhost',
+    };
+  }
+
+  private incrementTerminationStat(side: 'incoming' | 'outgoing', reason: string): void {
+    this.terminationStats[side][reason] = (this.terminationStats[side][reason] || 0) + 1;
+  }
+
+  public async start() {
+    // Helper to forcefully destroy sockets.
+    const cleanUpSockets = (socketA: plugins.net.Socket, socketB?: plugins.net.Socket) => {
+      if (!socketA.destroyed) socketA.destroy();
+      if (socketB && !socketB.destroyed) socketB.destroy();
+    };
+
+    // Normalize an IP to include both IPv4 and IPv6 representations.
+    const normalizeIP = (ip: string): string[] => {
+      if (ip.startsWith('::ffff:')) {
+        const ipv4 = ip.slice(7);
+        return [ip, ipv4];
+      }
+      if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+        return [ip, `::ffff:${ip}`];
+      }
+      return [ip];
+    };
+
+    // Check if a given IP matches any of the glob patterns.
+    const isAllowed = (ip: string, patterns: string[]): boolean => {
+      const normalizedIPVariants = normalizeIP(ip);
+      const expandedPatterns = patterns.flatMap(normalizeIP);
+      return normalizedIPVariants.some(ipVariant =>
+        expandedPatterns.some(pattern => plugins.minimatch(ipVariant, pattern))
+      );
+    };
+
+    // Find a matching domain config based on the SNI.
+    const findMatchingDomain = (serverName: string): IDomainConfig | undefined =>
+      this.settings.domains.find(config => plugins.minimatch(serverName, config.domain));
+
+    this.netServer = plugins.net.createServer((socket: plugins.net.Socket) => {
+      const remoteIP = socket.remoteAddress || '';
+      const connectionRecord: IConnectionRecord = {
+        incoming: socket,
+        outgoing: null,
+        incomingStartTime: Date.now(),
+        connectionClosed: false,
+      };
+      this.connectionRecords.add(connectionRecord);
+      console.log(`New connection from ${remoteIP}. Active connections: ${this.connectionRecords.size}`);
+
+      let initialDataReceived = false;
+      let incomingTerminationReason: string | null = null;
+      let outgoingTerminationReason: string | null = null;
+
+      // Ensure cleanup happens only once for the entire connection record.
+      const cleanupOnce = () => {
+        if (!connectionRecord.connectionClosed) {
+          connectionRecord.connectionClosed = true;
+          cleanUpSockets(connectionRecord.incoming, connectionRecord.outgoing || undefined);
+          this.connectionRecords.delete(connectionRecord);
+          console.log(`Connection from ${remoteIP} terminated. Active connections: ${this.connectionRecords.size}`);
+        }
+      };
+
+      // Helper to reject an incoming connection.
+      const rejectIncomingConnection = (reason: string, logMessage: string) => {
+        console.log(logMessage);
+        socket.end();
+        if (incomingTerminationReason === null) {
+          incomingTerminationReason = reason;
+          this.incrementTerminationStat('incoming', reason);
+        }
+        cleanupOnce();
+      };
+
+      socket.on('error', (err: Error) => {
+        const errorMessage = initialDataReceived
+          ? `(Immediate) Incoming socket error from ${remoteIP}: ${err.message}`
+          : `(Premature) Incoming socket error from ${remoteIP} before data received: ${err.message}`;
+        console.log(errorMessage);
+      });
+
+      const handleError = (side: 'incoming' | 'outgoing') => (err: Error) => {
+        const code = (err as any).code;
+        let reason = 'error';
+        if (code === 'ECONNRESET') {
+          reason = 'econnreset';
+          console.log(`ECONNRESET on ${side} side from ${remoteIP}: ${err.message}`);
+        } else {
+          console.log(`Error on ${side} side from ${remoteIP}: ${err.message}`);
+        }
+        if (side === 'incoming' && incomingTerminationReason === null) {
+          incomingTerminationReason = reason;
+          this.incrementTerminationStat('incoming', reason);
+        } else if (side === 'outgoing' && outgoingTerminationReason === null) {
+          outgoingTerminationReason = reason;
+          this.incrementTerminationStat('outgoing', reason);
+        }
+        cleanupOnce();
+      };
+
+      const handleClose = (side: 'incoming' | 'outgoing') => () => {
+        console.log(`Connection closed on ${side} side from ${remoteIP}`);
+        if (side === 'incoming' && incomingTerminationReason === null) {
+          incomingTerminationReason = 'normal';
+          this.incrementTerminationStat('incoming', 'normal');
+        } else if (side === 'outgoing' && outgoingTerminationReason === null) {
+          outgoingTerminationReason = 'normal';
+          this.incrementTerminationStat('outgoing', 'normal');
+        }
+        cleanupOnce();
+      };
+
+      const setupConnection = (serverName: string, initialChunk?: Buffer) => {
+        const defaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
+
+        if (!defaultAllowed && serverName) {
+          const domainConfig = findMatchingDomain(serverName);
+          if (!domainConfig) {
+            return rejectIncomingConnection('rejected', `Connection rejected: No matching domain config for ${serverName} from ${remoteIP}`);
+          }
+          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
+            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
+          }
+        } else if (!defaultAllowed && !serverName) {
+          return rejectIncomingConnection('rejected', `Connection rejected: No SNI and IP ${remoteIP} not in default allowed list`);
+        } else if (defaultAllowed && !serverName) {
+          console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
+        }
+
+        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
+        const targetHost = domainConfig?.targetIP || this.settings.toHost!;
+        const connectionOptions: plugins.net.NetConnectOpts = {
+          host: targetHost,
+          port: this.settings.toPort,
+        };
+        if (this.settings.preserveSourceIP) {
+          connectionOptions.localAddress = remoteIP.replace('::ffff:', '');
+        }
+
+        const targetSocket = plugins.net.connect(connectionOptions);
+        connectionRecord.outgoing = targetSocket;
+        connectionRecord.outgoingStartTime = Date.now();
+
+        console.log(
+          `Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}` +
+          `${serverName ? ` (SNI: ${serverName})` : ''}`
+        );
+
+        if (initialChunk) {
+          socket.unshift(initialChunk);
+        }
+        socket.setTimeout(120000);
+        socket.pipe(targetSocket);
+        targetSocket.pipe(socket);
+
+        socket.on('error', handleError('incoming'));
+        targetSocket.on('error', handleError('outgoing'));
+        socket.on('close', handleClose('incoming'));
+        targetSocket.on('close', handleClose('outgoing'));
+        socket.on('timeout', () => {
+          console.log(`Timeout on incoming side from ${remoteIP}`);
+          if (incomingTerminationReason === null) {
+            incomingTerminationReason = 'timeout';
+            this.incrementTerminationStat('incoming', 'timeout');
+          }
+          cleanupOnce();
+        });
+        targetSocket.on('timeout', () => {
+          console.log(`Timeout on outgoing side from ${remoteIP}`);
+          if (outgoingTerminationReason === null) {
+            outgoingTerminationReason = 'timeout';
+            this.incrementTerminationStat('outgoing', 'timeout');
+          }
+          cleanupOnce();
+        });
+        socket.on('end', handleClose('incoming'));
+        targetSocket.on('end', handleClose('outgoing'));
+      };
+
+      if (this.settings.sniEnabled) {
+        socket.setTimeout(5000, () => {
+          console.log(`Initial data timeout for ${remoteIP}`);
+          socket.end();
+          cleanupOnce();
+        });
+
+        socket.once('data', (chunk: Buffer) => {
+          socket.setTimeout(0);
+          initialDataReceived = true;
+          const serverName = extractSNI(chunk) || '';
+          console.log(`Received connection from ${remoteIP} with SNI: ${serverName}`);
+          setupConnection(serverName, chunk);
+        });
+      } else {
+        initialDataReceived = true;
+        if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+          return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+        }
+        setupConnection('');
+      }
+    })
+      .on('error', (err: Error) => {
+        console.log(`Server Error: ${err.message}`);
+      })
+      .listen(this.settings.fromPort, () => {
+        console.log(
+          `PortProxy -> OK: Now listening on port ${this.settings.fromPort}` +
+          `${this.settings.sniEnabled ? ' (SNI passthrough enabled)' : ''}`
+        );
+      });
+
+    // Every 10 seconds log active connection count and longest running durations.
+    this.connectionLogger = setInterval(() => {
+      const now = Date.now();
+      let maxIncoming = 0;
+      let maxOutgoing = 0;
+      for (const record of this.connectionRecords) {
+        maxIncoming = Math.max(maxIncoming, now - record.incomingStartTime);
+        if (record.outgoingStartTime) {
+          maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
+        }
+      }
+      console.log(
+        `(Interval Log) Active connections: ${this.connectionRecords.size}. ` +
+        `Longest running incoming: ${plugins.prettyMs(maxIncoming)}, outgoing: ${plugins.prettyMs(maxOutgoing)}. ` +
+        `Termination stats (incoming): ${JSON.stringify(this.terminationStats.incoming)}, ` +
+        `(outgoing): ${JSON.stringify(this.terminationStats.outgoing)}`
+      );
+    }, 10000);
+  }
+
+  public async stop() {
+    const done = plugins.smartpromise.defer();
+    this.netServer.close(() => {
+      done.resolve();
+    });
+    if (this.connectionLogger) {
+      clearInterval(this.connectionLogger);
+      this.connectionLogger = null;
+    }
+    await done.promise;
+  }
+}

ts/index.ts

@@ -1,3 +1,4 @@
-export * from './smartproxy.classes.networkproxy.js';
-export * from './smartproxy.portproxy.js';
-export * from './smartproxy.classes.sslredirect.js';
+export * from './classes.networkproxy.js';
+export * from './classes.portproxy.js';
+export * from './classes.port80handler.js';
+export * from './classes.sslredirect.js';

ts/plugins.ts

@@ -22,8 +22,9 @@ import * as smartstring from '@push.rocks/smartstring';
 export { lik, smartdelay, smartrequest, smartpromise, smartstring };
 
 // third party scope
+import prettyMs from 'pretty-ms';
 import * as ws from 'ws';
 import wsDefault from 'ws';
 import { minimatch } from 'minimatch';
 
-export { wsDefault, ws, minimatch };
+export { prettyMs, ws, wsDefault, minimatch };

ts/smartproxy.portproxy.ts

@@ -1,347 +0,0 @@
-import * as plugins from './plugins.js';
-
-export interface IDomainConfig {
-  domain: string;         // glob pattern for domain
-  allowedIPs: string[];   // glob patterns for IPs allowed to access this domain
-  targetIP?: string;      // Optional target IP for this domain
-}
-
-export interface IProxySettings extends plugins.tls.TlsOptions {
-  // Port configuration
-  fromPort: number;
-  toPort: number;
-  toHost?: string;        // Target host to proxy to, defaults to 'localhost'
-
-  // Domain and security settings
-  domains: IDomainConfig[];
-  sniEnabled?: boolean;
-  defaultAllowedIPs?: string[]; // Optional default IP patterns if no matching domain found
-  preserveSourceIP?: boolean;   // Whether to preserve the client's source IP when proxying
-}
-
-/**
- * Extract SNI (Server Name Indication) from a TLS ClientHello packet.
- * Returns the server name if found, or undefined.
- */
-function extractSNI(buffer: Buffer): string | undefined {
-  let offset = 0;
-  // We need at least 5 bytes for the record header.
-  if (buffer.length < 5) {
-    return undefined;
-  }
-
-  // TLS record header
-  const recordType = buffer.readUInt8(0);
-  if (recordType !== 22) { // 22 = handshake
-    return undefined;
-  }
-  // Read record length
-  const recordLength = buffer.readUInt16BE(3);
-  if (buffer.length < 5 + recordLength) {
-    // Not all data arrived yet; in production you might need to accumulate more data.
-    return undefined;
-  }
-
-  offset = 5;
-  // Handshake message type should be 1 for ClientHello.
-  const handshakeType = buffer.readUInt8(offset);
-  if (handshakeType !== 1) {
-    return undefined;
-  }
-  // Skip handshake header (1 byte type + 3 bytes length)
-  offset += 4;
-
-  // Skip client version (2 bytes) and random (32 bytes)
-  offset += 2 + 32;
-
-  // Session ID
-  const sessionIDLength = buffer.readUInt8(offset);
-  offset += 1 + sessionIDLength;
-
-  // Cipher suites
-  const cipherSuitesLength = buffer.readUInt16BE(offset);
-  offset += 2 + cipherSuitesLength;
-
-  // Compression methods
-  const compressionMethodsLength = buffer.readUInt8(offset);
-  offset += 1 + compressionMethodsLength;
-
-  // Extensions length
-  if (offset + 2 > buffer.length) {
-    return undefined;
-  }
-  const extensionsLength = buffer.readUInt16BE(offset);
-  offset += 2;
-  const extensionsEnd = offset + extensionsLength;
-
-  // Iterate over extensions
-  while (offset + 4 <= extensionsEnd) {
-    const extensionType = buffer.readUInt16BE(offset);
-    const extensionLength = buffer.readUInt16BE(offset + 2);
-    offset += 4;
-
-    // Check for SNI extension (type 0)
-    if (extensionType === 0x0000) {
-      // SNI extension: first 2 bytes are the SNI list length.
-      if (offset + 2 > buffer.length) {
-        return undefined;
-      }
-      const sniListLength = buffer.readUInt16BE(offset);
-      offset += 2;
-      const sniListEnd = offset + sniListLength;
-      // Loop through the list; typically there is one entry.
-      while (offset + 3 < sniListEnd) {
-        const nameType = buffer.readUInt8(offset);
-        offset++;
-        const nameLen = buffer.readUInt16BE(offset);
-        offset += 2;
-        if (nameType === 0) { // host_name
-          if (offset + nameLen > buffer.length) {
-            return undefined;
-          }
-          const serverName = buffer.toString('utf8', offset, offset + nameLen);
-          return serverName;
-        }
-        offset += nameLen;
-      }
-      break;
-    } else {
-      offset += extensionLength;
-    }
-  }
-  return undefined;
-}
-
-export class PortProxy {
-  netServer: plugins.net.Server;
-  settings: IProxySettings;
-  // Track active incoming connections
-  private activeConnections: Set<plugins.net.Socket> = new Set();
-  // Record start times for incoming connections
-  private incomingConnectionTimes: Map<plugins.net.Socket, number> = new Map();
-  // Record start times for outgoing connections
-  private outgoingConnectionTimes: Map<plugins.net.Socket, number> = new Map();
-  private connectionLogger: NodeJS.Timeout | null = null;
-
-  constructor(settings: IProxySettings) {
-    this.settings = {
-      ...settings,
-      toHost: settings.toHost || 'localhost'
-    };
-  }
-
-  public async start() {
-    const cleanUpSockets = (from: plugins.net.Socket, to: plugins.net.Socket) => {
-      from.end();
-      to.end();
-      from.removeAllListeners();
-      to.removeAllListeners();
-      from.unpipe();
-      to.unpipe();
-      from.destroy();
-      to.destroy();
-    };
-
-    const normalizeIP = (ip: string): string[] => {
-      // Handle IPv4-mapped IPv6 addresses
-      if (ip.startsWith('::ffff:')) {
-        const ipv4 = ip.slice(7); // Remove '::ffff:' prefix
-        return [ip, ipv4];
-      }
-      // Handle IPv4 addresses by adding IPv4-mapped IPv6 variant
-      if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
-        return [ip, `::ffff:${ip}`];
-      }
-      return [ip];
-    };
-
-    const isAllowed = (value: string, patterns: string[]): boolean => {
-      // Expand patterns to include both IPv4 and IPv6 variants
-      const expandedPatterns = patterns.flatMap(normalizeIP);
-      // Check if any variant of the IP matches any expanded pattern
-      return normalizeIP(value).some(ip =>
-        expandedPatterns.some(pattern => plugins.minimatch(ip, pattern))
-      );
-    };
-
-    const findMatchingDomain = (serverName: string): IDomainConfig | undefined => {
-      return this.settings.domains.find(config => plugins.minimatch(serverName, config.domain));
-    };
-
-    // Create a plain net server for TLS passthrough.
-    this.netServer = plugins.net.createServer((socket: plugins.net.Socket) => {
-      const remoteIP = socket.remoteAddress || '';
-
-      // Record start time for the incoming connection.
-      this.activeConnections.add(socket);
-      this.incomingConnectionTimes.set(socket, Date.now());
-      console.log(`New connection from ${remoteIP}. Active connections: ${this.activeConnections.size}`);
-
-      // Flag to detect if we've received the first data chunk.
-      let initialDataReceived = false;
-
-      // Immediately attach an error handler to catch early errors.
-      socket.on('error', (err: Error) => {
-        if (!initialDataReceived) {
-          console.log(`(Premature) Incoming socket error from ${remoteIP} before data received: ${err.message}`);
-        } else {
-          console.log(`(Immediate) Incoming socket error from ${remoteIP}: ${err.message}`);
-        }
-      });
-
-      // Flag to ensure cleanup happens only once.
-      let connectionClosed = false;
-      const cleanupOnce = () => {
-        if (!connectionClosed) {
-          connectionClosed = true;
-          cleanUpSockets(socket, to);
-          this.incomingConnectionTimes.delete(socket);
-          if (to) {
-            this.outgoingConnectionTimes.delete(to);
-          }
-          if (this.activeConnections.has(socket)) {
-            this.activeConnections.delete(socket);
-            console.log(`Connection from ${remoteIP} terminated. Active connections: ${this.activeConnections.size}`);
-          }
-        }
-      };
-
-      let to: plugins.net.Socket;
-
-      const handleError = (side: 'incoming' | 'outgoing') => (err: Error) => {
-        const code = (err as any).code;
-        if (code === 'ECONNRESET') {
-          console.log(`ECONNRESET on ${side} side from ${remoteIP}: ${err.message}`);
-        } else {
-          console.log(`Error on ${side} side from ${remoteIP}: ${err.message}`);
-        }
-        cleanupOnce();
-      };
-
-      const handleClose = (side: 'incoming' | 'outgoing') => () => {
-        console.log(`Connection closed on ${side} side from ${remoteIP}`);
-        cleanupOnce();
-      };
-
-      // Setup connection, optionally accepting the initial data chunk.
-      const setupConnection = (serverName: string, initialChunk?: Buffer) => {
-        // Check if the IP is allowed by default.
-        const isDefaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
-        if (!isDefaultAllowed && serverName) {
-          const domainConfig = findMatchingDomain(serverName);
-          if (!domainConfig) {
-            console.log(`Connection rejected: No matching domain config for ${serverName} from ${remoteIP}`);
-            socket.end();
-            return;
-          }
-          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-            console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-            socket.end();
-            return;
-          }
-        } else if (!isDefaultAllowed && !serverName) {
-          console.log(`Connection rejected: No SNI and IP ${remoteIP} not in default allowed list`);
-          socket.end();
-          return;
-        } else {
-          console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
-        }
-
-        // Determine target host.
-        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
-        const targetHost = domainConfig?.targetIP || this.settings.toHost!;
-
-        // Create connection options.
-        const connectionOptions: plugins.net.NetConnectOpts = {
-          host: targetHost,
-          port: this.settings.toPort,
-        };
-        if (this.settings.preserveSourceIP) {
-          connectionOptions.localAddress = remoteIP.replace('::ffff:', '');
-        }
-
-        // Establish outgoing connection.
-        to = plugins.net.connect(connectionOptions);
-        // Record start time for the outgoing connection.
-        this.outgoingConnectionTimes.set(to, Date.now());
-        console.log(`Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
-        
-        // Push back the initial chunk if provided.
-        if (initialChunk) {
-          socket.unshift(initialChunk);
-        }
-        socket.setTimeout(120000);
-        socket.pipe(to);
-        to.pipe(socket);
-
-        // Attach error and close handlers for both sockets.
-        socket.on('error', handleError('incoming'));
-        to.on('error', handleError('outgoing'));
-        socket.on('close', handleClose('incoming'));
-        to.on('close', handleClose('outgoing'));
-        socket.on('timeout', handleError('incoming'));
-        to.on('timeout', handleError('outgoing'));
-        socket.on('end', handleClose('incoming'));
-        to.on('end', handleClose('outgoing'));
-      };
-
-      // For SNI-enabled connections, peek at the first chunk.
-      if (this.settings.sniEnabled) {
-        socket.once('data', (chunk: Buffer) => {
-          initialDataReceived = true;
-          // Try to extract the server name from the ClientHello.
-          const serverName = extractSNI(chunk) || '';
-          console.log(`Received connection from ${remoteIP} with SNI: ${serverName}`);
-          setupConnection(serverName, chunk);
-        });
-      } else {
-        // For non-SNI connections, simply check defaultAllowedIPs.
-        initialDataReceived = true;
-        if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-          console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
-          socket.end();
-          return;
-        }
-        setupConnection('');
-      }
-    })
-    .on('error', (err: Error) => {
-      console.log(`Server Error: ${err.message}`);
-    })
-    .listen(this.settings.fromPort, () => {
-      console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}${this.settings.sniEnabled ? ' (SNI passthrough enabled)' : ''}`);
-    });
-
-    // Log active connection count and longest running connections every 10 seconds.
-    this.connectionLogger = setInterval(() => {
-      const now = Date.now();
-      let maxIncoming = 0;
-      for (const startTime of this.incomingConnectionTimes.values()) {
-        const duration = now - startTime;
-        if (duration > maxIncoming) {
-          maxIncoming = duration;
-        }
-      }
-      let maxOutgoing = 0;
-      for (const startTime of this.outgoingConnectionTimes.values()) {
-        const duration = now - startTime;
-        if (duration > maxOutgoing) {
-          maxOutgoing = duration;
-        }
-      }
-      console.log(`(Interval Log) Active connections: ${this.activeConnections.size}. Longest running incoming: ${maxIncoming}ms, outgoing: ${maxOutgoing}ms`);
-    }, 10000);
-  }
-
-  public async stop() {
-    const done = plugins.smartpromise.defer();
-    this.netServer.close(() => {
-      done.resolve();
-    });
-    if (this.connectionLogger) {
-      clearInterval(this.connectionLogger);
-      this.connectionLogger = null;
-    }
-    await done.promise;
-  }
-}