5.1.0

changelog.md

@@ -1,5 +1,54 @@
 # Changelog
 
+## 2025-03-18 - 5.1.0 - feat(docs)
+docs: replace IPTablesProxy references with NfTablesProxy in README and examples, updating configuration options and diagrams for advanced nftables features
+
+- Updated README diagrams to reflect nftables integration for low-level port forwarding.
+- Replaced all occurrences of 'IPTablesProxy' with 'NfTablesProxy' in documentation and code examples.
+- Included additional details on QoS, advanced NAT, and IP set options in the configuration options section.
+
+## 2025-03-18 - 5.0.0 - BREAKING CHANGE(nftables)
+Replace IPTablesProxy with NfTablesProxy and update module exports in index.ts
+
+- Removed ts/classes.iptablesproxy.ts
+- Added ts/classes.nftablesproxy.ts for enhanced nftables integration
+- Updated ts/index.ts to export NfTablesProxy instead of IPTablesProxy
+
+## 2025-03-18 - 4.3.0 - feat(Port80Handler)
+Add glob pattern support for domain certificate management in Port80Handler. Wildcard domains are now detected and skipped in certificate issuance and retrieval, ensuring that only explicit domains receive ACME certificates and improving route matching.
+
+- Introduced isGlobPattern to detect wildcard domains.
+- Added getDomainInfoForRequest and domainMatchesPattern methods to enable glob pattern matching for domain configurations.
+- Modified setCertificate and getCertificate to prevent certificate operations for glob patterns.
+- Updated request handling to skip ACME challenge processing and certificate issuance for wildcard domains.
+- Updated documentation and tests to reflect the new glob pattern support.
+
+## 2025-03-18 - 4.2.6 - fix(Port80Handler)
+Restrict ACME HTTP-01 challenge handling to domains with acmeMaintenance or acmeForward enabled
+
+- Updated challenge handler in ts/classes.port80handler.ts to include a check for (options.acmeMaintenance || options.acmeForward)
+- Prevents unintended processing of ACME challenges when ACME configuration is not enabled
+
+## 2025-03-18 - 4.2.5 - fix(networkproxy)
+Refactor certificate management components: rename AcmeCertManager to Port80Handler and update related event names from CertManagerEvents to Port80HandlerEvents. The changes update internal API usage in ts/classes.networkproxy.ts and ts/classes.port80handler.ts to unify and simplify ACME certificate handling and HTTP-01 challenge management.
+
+- Renamed AcmeCertManager to Port80Handler in ts/classes.networkproxy.ts
+- Updated event names from CertManagerEvents to Port80HandlerEvents
+- Modified API calls for certificate issuance and renewal in ts/classes.port80handler.ts
+- Refactored domain registration and certificate extraction logic
+
+## 2025-03-18 - 4.2.4 - fix(ts/index.ts)
+Fix export order in ts/index.ts by moving the port proxy export back and adding interfaces export for proper module exposure
+
+- Reorder exports to place './classes.pp.portproxy.js' in the correct position
+- Add export for './classes.pp.interfaces.js' to expose internal interfaces
+
+## 2025-03-18 - 4.2.3 - fix(connectionhandler)
+Remove unnecessary delay in TLS session ticket handling for connections without SNI
+
+- Eliminated the extra setTimeout waiting period before cleaning up connections flagged as session_ticket_blocked_no_sni
+- Ensures immediate cleanup and improves connection responsiveness during TLS handshake failures
+
 ## 2025-03-18 - 4.2.2 - fix(connectionhandler)
 Ensure proper termination of TLS connections without SNI by explicitly ending the socket after sending the unrecognized_name alert. This prevents the connection from hanging and avoids potential duplicate handling.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "4.2.2",
+  "version": "5.1.0",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

readme.md

@@ -16,7 +16,7 @@ flowchart TB
         HTTP80[HTTP Port 80\nSslRedirect]
         HTTPS443[HTTPS Port 443\nNetworkProxy]
         PortProxy[TCP Port Proxy\nwith SNI routing]
-        IPTables[IPTablesProxy]
+        NfTables[NfTablesProxy]
         Router[ProxyRouter]
         ACME[Port80Handler\nACME/Let's Encrypt]
         Certs[(SSL Certificates)]
@@ -40,7 +40,7 @@ flowchart TB
     PortProxy -->|Direct TCP| Service2
     PortProxy -->|Direct TCP| Service3
     
-    IPTables -.->|Low-level forwarding| PortProxy
+    NfTables -.->|Low-level forwarding| PortProxy
     
     HTTP80 -.->|Challenge Response| ACME
     ACME -.->|Generate/Manage| Certs
@@ -197,7 +197,7 @@ sequenceDiagram
 - **HTTP to HTTPS Redirection** - Automatically redirect HTTP requests to HTTPS
 - **Let's Encrypt Integration** - Automatic certificate management using ACME protocol
 - **IP Filtering** - Control access with IP allow/block lists using glob patterns
-- **IPTables Integration** - Direct manipulation of iptables for low-level port forwarding
+- **NfTables Integration** - Direct manipulation of nftables for advanced low-level port forwarding
 - **Basic Authentication** - Support for basic auth on proxied routes
 - **Connection Management** - Intelligent connection tracking and cleanup with configurable timeouts
 - **Browser Compatibility** - Optimized for modern browsers with fixes for common TLS handshake issues
@@ -315,13 +315,13 @@ const portProxy = new PortProxy({
 portProxy.start();
 ```
 
-### IPTables Port Forwarding
+### NfTables Port Forwarding
 
 ```typescript
-import { IPTablesProxy } from '@push.rocks/smartproxy';
+import { NfTablesProxy } from '@push.rocks/smartproxy';
 
 // Basic usage - forward single port
-const basicProxy = new IPTablesProxy({
+const basicProxy = new NfTablesProxy({
   fromPort: 80,
   toPort: 8080,
   toHost: 'localhost',
@@ -330,7 +330,7 @@ const basicProxy = new IPTablesProxy({
 });
 
 // Forward port ranges
-const rangeProxy = new IPTablesProxy({
+const rangeProxy = new NfTablesProxy({
   fromPort: { from: 3000, to: 3010 },  // Forward ports 3000-3010
   toPort: { from: 8000, to: 8010 },    // To ports 8000-8010
   protocol: 'tcp',                     // TCP protocol (default)
@@ -339,19 +339,26 @@ const rangeProxy = new IPTablesProxy({
 });
 
 // Multiple port specifications with IP filtering
-const advancedProxy = new IPTablesProxy({
+const advancedProxy = new NfTablesProxy({
   fromPort: [80, 443, { from: 8000, to: 8010 }],  // Multiple ports/ranges
   toPort: [8080, 8443, { from: 18000, to: 18010 }],
   allowedSourceIPs: ['10.0.0.0/8', '192.168.1.0/24'],  // Only allow these IPs
   bannedSourceIPs: ['192.168.1.100'],                 // Explicitly block these IPs
-  addJumpRule: true,                                  // Use custom chain for better management
-  checkExistingRules: true                           // Check for duplicate rules
+  useIPSets: true,                                   // Use IP sets for efficient IP management
+  forceCleanSlate: false                             // Clean all NfTablesProxy rules before starting
 });
 
-// NetworkProxy integration for SSL termination
-const sslProxy = new IPTablesProxy({
+// Advanced features: QoS, connection tracking, and NetworkProxy integration
+const advancedProxy = new NfTablesProxy({
   fromPort: 443,
   toPort: 8443,
+  toHost: 'localhost',
+  useAdvancedNAT: true,                // Use connection tracking for stateful NAT
+  qos: {
+    enabled: true,
+    maxRate: '10mbps',                 // Limit bandwidth
+    priority: 1                        // Set traffic priority (1-10)
+  },
   netProxyIntegration: {
     enabled: true,
     redirectLocalhost: true,           // Redirect localhost traffic to NetworkProxy
@@ -372,8 +379,25 @@ import { Port80Handler } from '@push.rocks/smartproxy';
 const acmeHandler = new Port80Handler();
 
 // Add domains to manage certificates for
-acmeHandler.addDomain('example.com');
-acmeHandler.addDomain('api.example.com');
+acmeHandler.addDomain({
+  domainName: 'example.com',
+  sslRedirect: true,
+  acmeMaintenance: true
+});
+
+acmeHandler.addDomain({
+  domainName: 'api.example.com',
+  sslRedirect: true,
+  acmeMaintenance: true
+});
+
+// Support for glob pattern domains for routing (certificates not issued for glob patterns)
+acmeHandler.addDomain({
+  domainName: '*.example.com',
+  sslRedirect: true,
+  acmeMaintenance: false,  // Can't issue certificates for wildcard domains via HTTP-01
+  forward: { ip: '192.168.1.10', port: 8080 }  // Forward requests to this target
+});
 ```
 
 ## Configuration Options
@@ -412,7 +436,7 @@ acmeHandler.addDomain('api.example.com');
 | `enableDetailedLogging`   | Enable detailed connection logging                     | false       |
 | `enableRandomizedTimeouts`| Randomize timeouts slightly to prevent thundering herd | true        |
 
-### IPTablesProxy Settings
+### NfTablesProxy Settings
 
 | Option                | Description                                       | Default     |
 |-----------------------|---------------------------------------------------|-------------|
@@ -420,18 +444,32 @@ acmeHandler.addDomain('api.example.com');
 | `toPort`              | Destination port(s) or range(s) to forward to     | -           |
 | `toHost`              | Destination host to forward to                    | 'localhost' |
 | `preserveSourceIP`    | Preserve the original client IP                   | false       |
-| `deleteOnExit`        | Remove iptables rules when process exits          | false       |
+| `deleteOnExit`        | Remove nftables rules when process exits          | false       |
 | `protocol`            | Protocol to forward ('tcp', 'udp', or 'all')      | 'tcp'       |
 | `enableLogging`       | Enable detailed logging                           | false       |
-| `ipv6Support`         | Enable IPv6 support with ip6tables                | false       |
+| `logFormat`           | Format for logs ('plain' or 'json')               | 'plain'     |
+| `ipv6Support`         | Enable IPv6 support                               | false       |
 | `allowedSourceIPs`    | Array of IP addresses/CIDR allowed to connect     | -           |
 | `bannedSourceIPs`     | Array of IP addresses/CIDR blocked from connecting | -           |
-| `forceCleanSlate`     | Clear all IPTablesProxy rules before starting     | false       |
-| `addJumpRule`         | Add a custom chain for cleaner rule management    | false       |
-| `checkExistingRules`  | Check if rules already exist before adding        | true        |
+| `useIPSets`           | Use nftables sets for efficient IP management     | true        |
+| `forceCleanSlate`     | Clear all NfTablesProxy rules before starting     | false       |
+| `tableName`           | Custom table name                                 | 'portproxy' |
+| `maxRetries`          | Maximum number of retries for failed commands     | 3           |
+| `retryDelayMs`        | Delay between retries in milliseconds             | 1000        |
+| `useAdvancedNAT`      | Use connection tracking for stateful NAT          | false       |
+| `qos`                 | Quality of Service options (object)               | -           |
 | `netProxyIntegration` | NetworkProxy integration options (object)         | -           |
 
-#### IPTablesProxy NetworkProxy Integration Options
+#### NfTablesProxy QoS Options
+
+| Option               | Description                                       | Default |
+|----------------------|---------------------------------------------------|---------|
+| `enabled`            | Enable Quality of Service features                | false   |
+| `maxRate`            | Maximum bandwidth rate (e.g. "10mbps")           | -       |
+| `priority`           | Traffic priority (1-10, 1 is highest)            | -       |
+| `markConnections`    | Mark connections for easier management            | false   |
+
+#### NfTablesProxy NetworkProxy Integration Options
 
 | Option               | Description                                       | Default |
 |----------------------|---------------------------------------------------|---------|
@@ -490,18 +528,30 @@ The `PortProxy` class can inspect the SNI (Server Name Indication) field in TLS
 - Domain-specific allowed IP ranges
 - Protection against SNI renegotiation attacks
 
-### Enhanced IPTables Management
+### Enhanced NfTables Management
 
-The improved `IPTablesProxy` class offers advanced capabilities:
+The `NfTablesProxy` class offers advanced capabilities compared to the previous IPTablesProxy:
 
 - Support for multiple port ranges and individual ports
-- IPv6 support with ip6tables
-- Source IP filtering with allow/block lists
-- Custom chain creation for better rule organization
+- More efficient IP filtering using nftables sets
+- IPv6 support with full feature parity
+- Quality of Service (QoS) features including bandwidth limiting and traffic prioritization
+- Advanced connection tracking for stateful NAT
+- Robust error handling with retry mechanisms
+- Structured logging with JSON support
 - NetworkProxy integration for SSL termination
-- Automatic rule existence checking to prevent duplicates
 - Comprehensive cleanup on shutdown
 
+### Port80Handler with Glob Pattern Support
+
+The `Port80Handler` class now includes support for glob pattern domain matching:
+
+- Supports wildcard domains like `*.example.com` for HTTP request routing
+- Detects glob patterns and skips certificate issuance for them
+- Smart routing that first attempts exact matches, then tries pattern matching
+- Supports forwarding HTTP requests to backend services
+- Separate forwarding configuration for ACME challenges
+
 ## Troubleshooting
 
 ### Browser Certificate Errors

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '4.2.2',
+  version: '5.1.0',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

ts/classes.iptablesproxy.ts

@@ -1,901 +0,0 @@
-import { exec, execSync } from 'child_process';
-import { promisify } from 'util';
-
-const execAsync = promisify(exec);
-
-/**
- * Represents a port range for forwarding
- */
-export interface IPortRange {
-  from: number;
-  to: number;
-}
-
-/**
- * Settings for IPTablesProxy.
- */
-export interface IIpTableProxySettings {
-  // Basic settings
-  fromPort: number | IPortRange | Array<number | IPortRange>; // Support single port, port range, or multiple ports/ranges
-  toPort: number | IPortRange | Array<number | IPortRange>;
-  toHost?: string; // Target host for proxying; defaults to 'localhost'
-  
-  // Advanced settings
-  preserveSourceIP?: boolean; // If true, the original source IP is preserved
-  deleteOnExit?: boolean;     // If true, clean up marked iptables rules before process exit
-  protocol?: 'tcp' | 'udp' | 'all'; // Protocol to forward, defaults to 'tcp'
-  enableLogging?: boolean;    // Enable detailed logging
-  ipv6Support?: boolean;      // Enable IPv6 support (ip6tables)
-  
-  // Source filtering
-  allowedSourceIPs?: string[]; // If provided, only these IPs are allowed
-  bannedSourceIPs?: string[];  // If provided, these IPs are blocked
-  
-  // Rule management
-  forceCleanSlate?: boolean;   // Clear all IPTablesProxy rules before starting
-  addJumpRule?: boolean;       // Add a custom chain for cleaner rule management
-  checkExistingRules?: boolean; // Check if rules already exist before adding
-  
-  // Integration with PortProxy/NetworkProxy
-  netProxyIntegration?: {
-    enabled: boolean;
-    redirectLocalhost?: boolean; // Redirect localhost traffic to NetworkProxy
-    sslTerminationPort?: number; // Port where NetworkProxy handles SSL termination
-  };
-}
-
-/**
- * Represents a rule added to iptables
- */
-interface IpTablesRule {
-  table: string;
-  chain: string;
-  command: string;
-  tag: string;
-  added: boolean;
-}
-
-/**
- * IPTablesProxy sets up iptables NAT rules to forward TCP traffic.
- * Enhanced with multi-port support, IPv6, and integration with PortProxy/NetworkProxy.
- */
-export class IPTablesProxy {
-  public settings: IIpTableProxySettings;
-  private rules: IpTablesRule[] = [];
-  private ruleTag: string;
-  private customChain: string | null = null;
-
-  constructor(settings: IIpTableProxySettings) {
-    // Validate inputs to prevent command injection
-    this.validateSettings(settings);
-    
-    // Set default settings
-    this.settings = {
-      ...settings,
-      toHost: settings.toHost || 'localhost',
-      protocol: settings.protocol || 'tcp',
-      enableLogging: settings.enableLogging !== undefined ? settings.enableLogging : false,
-      ipv6Support: settings.ipv6Support !== undefined ? settings.ipv6Support : false,
-      checkExistingRules: settings.checkExistingRules !== undefined ? settings.checkExistingRules : true,
-      netProxyIntegration: settings.netProxyIntegration || { enabled: false }
-    };
-    
-    // Generate a unique identifier for the rules added by this instance
-    this.ruleTag = `IPTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`;
-    
-    if (this.settings.addJumpRule) {
-      this.customChain = `IPTablesProxy_${Math.random().toString(36).substr(2, 5)}`;
-    }
-
-    // Register cleanup handlers if deleteOnExit is true
-    if (this.settings.deleteOnExit) {
-      const cleanup = () => {
-        try {
-          this.stopSync();
-        } catch (err) {
-          console.error('Error cleaning iptables rules on exit:', err);
-        }
-      };
-      
-      process.on('exit', cleanup);
-      process.on('SIGINT', () => {
-        cleanup();
-        process.exit();
-      });
-      process.on('SIGTERM', () => {
-        cleanup();
-        process.exit();
-      });
-    }
-  }
-
-  /**
-   * Validates settings to prevent command injection and ensure valid values
-   */
-  private validateSettings(settings: IIpTableProxySettings): void {
-    // Validate port numbers
-    const validatePorts = (port: number | IPortRange | Array<number | IPortRange>) => {
-      if (Array.isArray(port)) {
-        port.forEach(p => validatePorts(p));
-        return;
-      }
-      
-      if (typeof port === 'number') {
-        if (port < 1 || port > 65535) {
-          throw new Error(`Invalid port number: ${port}`);
-        }
-      } else if (typeof port === 'object') {
-        if (port.from < 1 || port.from > 65535 || port.to < 1 || port.to > 65535 || port.from > port.to) {
-          throw new Error(`Invalid port range: ${port.from}-${port.to}`);
-        }
-      }
-    };
-    
-    validatePorts(settings.fromPort);
-    validatePorts(settings.toPort);
-    
-    // Define regex patterns at the method level so they're available throughout
-    const ipRegex = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/;
-    const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/;
-    
-    // Validate IP addresses
-    const validateIPs = (ips?: string[]) => {
-      if (!ips) return;
-      
-      for (const ip of ips) {
-        if (!ipRegex.test(ip) && !ipv6Regex.test(ip)) {
-          throw new Error(`Invalid IP address format: ${ip}`);
-        }
-      }
-    };
-    
-    validateIPs(settings.allowedSourceIPs);
-    validateIPs(settings.bannedSourceIPs);
-    
-    // Validate toHost - only allow hostnames or IPs
-    if (settings.toHost) {
-      const hostRegex = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/;
-      if (!hostRegex.test(settings.toHost) && !ipRegex.test(settings.toHost) && !ipv6Regex.test(settings.toHost)) {
-        throw new Error(`Invalid host format: ${settings.toHost}`);
-      }
-    }
-  }
-  
-  /**
-   * Normalizes port specifications into an array of port ranges
-   */
-  private normalizePortSpec(portSpec: number | IPortRange | Array<number | IPortRange>): IPortRange[] {
-    const result: IPortRange[] = [];
-    
-    if (Array.isArray(portSpec)) {
-      // If it's an array, process each element
-      for (const spec of portSpec) {
-        result.push(...this.normalizePortSpec(spec));
-      }
-    } else if (typeof portSpec === 'number') {
-      // Single port becomes a range with the same start and end
-      result.push({ from: portSpec, to: portSpec });
-    } else {
-      // Already a range
-      result.push(portSpec);
-    }
-    
-    return result;
-  }
-
-  /**
-   * Gets the appropriate iptables command based on settings
-   */
-  private getIptablesCommand(isIpv6: boolean = false): string {
-    return isIpv6 ? 'ip6tables' : 'iptables';
-  }
-
-  /**
-   * Checks if a rule already exists in iptables
-   */
-  private async ruleExists(table: string, command: string, isIpv6: boolean = false): Promise<boolean> {
-    try {
-      const iptablesCmd = this.getIptablesCommand(isIpv6);
-      const { stdout } = await execAsync(`${iptablesCmd}-save -t ${table}`);
-      // Convert the command to the format found in iptables-save output
-      // (This is a simplification - in reality, you'd need more parsing)
-      const rulePattern = command.replace(`${iptablesCmd} -t ${table} -A `, '-A ');
-      return stdout.split('\n').some(line => line.trim() === rulePattern);
-    } catch (err) {
-      this.log('error', `Failed to check if rule exists: ${err}`);
-      return false;
-    }
-  }
-
-  /**
-   * Sets up a custom chain for better rule management
-   */
-  private async setupCustomChain(isIpv6: boolean = false): Promise<boolean> {
-    if (!this.customChain) return true;
-    
-    const iptablesCmd = this.getIptablesCommand(isIpv6);
-    const table = 'nat';
-    
-    try {
-      // Create the chain
-      await execAsync(`${iptablesCmd} -t ${table} -N ${this.customChain}`);
-      this.log('info', `Created custom chain: ${this.customChain}`);
-      
-      // Add jump rule to PREROUTING chain
-      const jumpCommand = `${iptablesCmd} -t ${table} -A PREROUTING -j ${this.customChain} -m comment --comment "${this.ruleTag}:JUMP"`;
-      await execAsync(jumpCommand);
-      this.log('info', `Added jump rule to ${this.customChain}`);
-      
-      // Store the jump rule
-      this.rules.push({
-        table,
-        chain: 'PREROUTING',
-        command: jumpCommand,
-        tag: `${this.ruleTag}:JUMP`,
-        added: true
-      });
-      
-      return true;
-    } catch (err) {
-      this.log('error', `Failed to set up custom chain: ${err}`);
-      return false;
-    }
-  }
-
-  /**
-   * Add a source IP filter rule
-   */
-  private async addSourceIPFilter(isIpv6: boolean = false): Promise<boolean> {
-    if (!this.settings.allowedSourceIPs && !this.settings.bannedSourceIPs) {
-      return true;
-    }
-    
-    const iptablesCmd = this.getIptablesCommand(isIpv6);
-    const table = 'nat';
-    const chain = this.customChain || 'PREROUTING';
-    
-    try {
-      // Add banned IPs first (explicit deny)
-      if (this.settings.bannedSourceIPs && this.settings.bannedSourceIPs.length > 0) {
-        for (const ip of this.settings.bannedSourceIPs) {
-          const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -j DROP -m comment --comment "${this.ruleTag}:BANNED"`;
-          
-          // Check if rule already exists
-          if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
-            this.log('info', `Rule already exists, skipping: ${command}`);
-            continue;
-          }
-          
-          await execAsync(command);
-          this.log('info', `Added banned IP rule: ${command}`);
-          
-          this.rules.push({
-            table,
-            chain,
-            command,
-            tag: `${this.ruleTag}:BANNED`,
-            added: true
-          });
-        }
-      }
-      
-      // Add allowed IPs (explicit allow)
-      if (this.settings.allowedSourceIPs && this.settings.allowedSourceIPs.length > 0) {
-        // First add a default deny for all
-        const denyAllCommand = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} -j DROP -m comment --comment "${this.ruleTag}:DENY_ALL"`;
-        
-        // Add allow rules for specific IPs
-        for (const ip of this.settings.allowedSourceIPs) {
-          const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -p ${this.settings.protocol} -j ACCEPT -m comment --comment "${this.ruleTag}:ALLOWED"`;
-          
-          // Check if rule already exists
-          if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
-            this.log('info', `Rule already exists, skipping: ${command}`);
-            continue;
-          }
-          
-          await execAsync(command);
-          this.log('info', `Added allowed IP rule: ${command}`);
-          
-          this.rules.push({
-            table,
-            chain,
-            command,
-            tag: `${this.ruleTag}:ALLOWED`,
-            added: true
-          });
-        }
-        
-        // Now add the default deny after all allows
-        if (this.settings.checkExistingRules && await this.ruleExists(table, denyAllCommand, isIpv6)) {
-          this.log('info', `Rule already exists, skipping: ${denyAllCommand}`);
-        } else {
-          await execAsync(denyAllCommand);
-          this.log('info', `Added default deny rule: ${denyAllCommand}`);
-          
-          this.rules.push({
-            table,
-            chain,
-            command: denyAllCommand,
-            tag: `${this.ruleTag}:DENY_ALL`,
-            added: true
-          });
-        }
-      }
-      
-      return true;
-    } catch (err) {
-      this.log('error', `Failed to add source IP filter rules: ${err}`);
-      return false;
-    }
-  }
-
-  /**
-   * Adds a port forwarding rule
-   */
-  private async addPortForwardingRule(
-    fromPortRange: IPortRange,
-    toPortRange: IPortRange,
-    isIpv6: boolean = false
-  ): Promise<boolean> {
-    const iptablesCmd = this.getIptablesCommand(isIpv6);
-    const table = 'nat';
-    const chain = this.customChain || 'PREROUTING';
-    
-    try {
-      // Handle single port case
-      if (fromPortRange.from === fromPortRange.to && toPortRange.from === toPortRange.to) {
-        // Single port forward
-        const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from} ` +
-          `-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from} ` +
-          `-m comment --comment "${this.ruleTag}:DNAT"`;
-        
-        // Check if rule already exists
-        if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
-          this.log('info', `Rule already exists, skipping: ${command}`);
-        } else {
-          await execAsync(command);
-          this.log('info', `Added port forwarding rule: ${command}`);
-          
-          this.rules.push({
-            table,
-            chain,
-            command,
-            tag: `${this.ruleTag}:DNAT`,
-            added: true
-          });
-        }
-      } else if (fromPortRange.to - fromPortRange.from === toPortRange.to - toPortRange.from) {
-        // Port range forward with equal ranges
-        const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from}:${fromPortRange.to} ` +
-          `-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from}-${toPortRange.to} ` +
-          `-m comment --comment "${this.ruleTag}:DNAT_RANGE"`;
-        
-        // Check if rule already exists
-        if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
-          this.log('info', `Rule already exists, skipping: ${command}`);
-        } else {
-          await execAsync(command);
-          this.log('info', `Added port range forwarding rule: ${command}`);
-          
-          this.rules.push({
-            table,
-            chain,
-            command,
-            tag: `${this.ruleTag}:DNAT_RANGE`,
-            added: true
-          });
-        }
-      } else {
-        // Unequal port ranges need individual rules
-        for (let i = 0; i <= fromPortRange.to - fromPortRange.from; i++) {
-          const fromPort = fromPortRange.from + i;
-          const toPort = toPortRange.from + i % (toPortRange.to - toPortRange.from + 1);
-          
-          const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPort} ` +
-            `-j DNAT --to-destination ${this.settings.toHost}:${toPort} ` +
-            `-m comment --comment "${this.ruleTag}:DNAT_INDIVIDUAL"`;
-          
-          // Check if rule already exists
-          if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
-            this.log('info', `Rule already exists, skipping: ${command}`);
-            continue;
-          }
-          
-          await execAsync(command);
-          this.log('info', `Added individual port forwarding rule: ${command}`);
-          
-          this.rules.push({
-            table,
-            chain,
-            command,
-            tag: `${this.ruleTag}:DNAT_INDIVIDUAL`,
-            added: true
-          });
-        }
-      }
-      
-      // If preserveSourceIP is false, add a MASQUERADE rule
-      if (!this.settings.preserveSourceIP) {
-        // For port range
-        const masqCommand = `${iptablesCmd} -t nat -A POSTROUTING -p ${this.settings.protocol} -d ${this.settings.toHost} ` +
-          `--dport ${toPortRange.from}:${toPortRange.to} -j MASQUERADE ` +
-          `-m comment --comment "${this.ruleTag}:MASQ"`;
-        
-        // Check if rule already exists
-        if (this.settings.checkExistingRules && await this.ruleExists('nat', masqCommand, isIpv6)) {
-          this.log('info', `Rule already exists, skipping: ${masqCommand}`);
-        } else {
-          await execAsync(masqCommand);
-          this.log('info', `Added MASQUERADE rule: ${masqCommand}`);
-          
-          this.rules.push({
-            table: 'nat',
-            chain: 'POSTROUTING',
-            command: masqCommand,
-            tag: `${this.ruleTag}:MASQ`,
-            added: true
-          });
-        }
-      }
-      
-      return true;
-    } catch (err) {
-      this.log('error', `Failed to add port forwarding rule: ${err}`);
-      
-      // Try to roll back any rules that were already added
-      await this.rollbackRules();
-      
-      return false;
-    }
-  }
-
-  /**
-   * Special handling for NetworkProxy integration
-   */
-  private async setupNetworkProxyIntegration(isIpv6: boolean = false): Promise<boolean> {
-    if (!this.settings.netProxyIntegration?.enabled) {
-      return true;
-    }
-    
-    const netProxyConfig = this.settings.netProxyIntegration;
-    const iptablesCmd = this.getIptablesCommand(isIpv6);
-    const table = 'nat';
-    const chain = this.customChain || 'PREROUTING';
-    
-    try {
-      // If redirectLocalhost is true, set up special rule to redirect localhost traffic to NetworkProxy
-      if (netProxyConfig.redirectLocalhost && netProxyConfig.sslTerminationPort) {
-        const redirectCommand = `${iptablesCmd} -t ${table} -A OUTPUT -p tcp -d 127.0.0.1 -j REDIRECT ` +
-          `--to-port ${netProxyConfig.sslTerminationPort} ` +
-          `-m comment --comment "${this.ruleTag}:NETPROXY_REDIRECT"`;
-        
-        // Check if rule already exists
-        if (this.settings.checkExistingRules && await this.ruleExists(table, redirectCommand, isIpv6)) {
-          this.log('info', `Rule already exists, skipping: ${redirectCommand}`);
-        } else {
-          await execAsync(redirectCommand);
-          this.log('info', `Added NetworkProxy redirection rule: ${redirectCommand}`);
-          
-          this.rules.push({
-            table,
-            chain: 'OUTPUT',
-            command: redirectCommand,
-            tag: `${this.ruleTag}:NETPROXY_REDIRECT`,
-            added: true
-          });
-        }
-      }
-      
-      return true;
-    } catch (err) {
-      this.log('error', `Failed to set up NetworkProxy integration: ${err}`);
-      return false;
-    }
-  }
-
-  /**
-   * Rolls back rules that were added in case of error
-   */
-  private async rollbackRules(): Promise<void> {
-    // Process rules in reverse order (LIFO)
-    for (let i = this.rules.length - 1; i >= 0; i--) {
-      const rule = this.rules[i];
-      
-      if (rule.added) {
-        try {
-          // Convert -A (add) to -D (delete)
-          const deleteCommand = rule.command.replace('-A', '-D');
-          await execAsync(deleteCommand);
-          this.log('info', `Rolled back rule: ${deleteCommand}`);
-          
-          rule.added = false;
-        } catch (err) {
-          this.log('error', `Failed to roll back rule: ${err}`);
-        }
-      }
-    }
-  }
-
-  /**
-   * Sets up iptables rules for port forwarding with enhanced features
-   */
-  public async start(): Promise<void> {
-    // Optionally clean the slate first
-    if (this.settings.forceCleanSlate) {
-      await IPTablesProxy.cleanSlate();
-    }
-    
-    // First set up any custom chains
-    if (this.settings.addJumpRule) {
-      const chainSetupSuccess = await this.setupCustomChain();
-      if (!chainSetupSuccess) {
-        throw new Error('Failed to set up custom chain');
-      }
-      
-      // For IPv6 if enabled
-      if (this.settings.ipv6Support) {
-        const chainSetupSuccessIpv6 = await this.setupCustomChain(true);
-        if (!chainSetupSuccessIpv6) {
-          this.log('warn', 'Failed to set up IPv6 custom chain, continuing with IPv4 only');
-        }
-      }
-    }
-    
-    // Add source IP filters
-    await this.addSourceIPFilter();
-    if (this.settings.ipv6Support) {
-      await this.addSourceIPFilter(true);
-    }
-    
-    // Set up NetworkProxy integration if enabled
-    if (this.settings.netProxyIntegration?.enabled) {
-      const netProxySetupSuccess = await this.setupNetworkProxyIntegration();
-      if (!netProxySetupSuccess) {
-        this.log('warn', 'Failed to set up NetworkProxy integration');
-      }
-      
-      if (this.settings.ipv6Support) {
-        await this.setupNetworkProxyIntegration(true);
-      }
-    }
-    
-    // Normalize port specifications
-    const fromPortRanges = this.normalizePortSpec(this.settings.fromPort);
-    const toPortRanges = this.normalizePortSpec(this.settings.toPort);
-    
-    // Handle the case where fromPort and toPort counts don't match
-    if (fromPortRanges.length !== toPortRanges.length) {
-      if (toPortRanges.length === 1) {
-        // If there's only one toPort, use it for all fromPorts
-        for (const fromRange of fromPortRanges) {
-          await this.addPortForwardingRule(fromRange, toPortRanges[0]);
-          
-          if (this.settings.ipv6Support) {
-            await this.addPortForwardingRule(fromRange, toPortRanges[0], true);
-          }
-        }
-      } else {
-        throw new Error('Mismatched port counts: fromPort and toPort arrays must have equal length or toPort must be a single value');
-      }
-    } else {
-      // Add port forwarding rules for each port specification
-      for (let i = 0; i < fromPortRanges.length; i++) {
-        await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i]);
-        
-        if (this.settings.ipv6Support) {
-          await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i], true);
-        }
-      }
-    }
-    
-    // Final check - ensure we have at least one rule added
-    if (this.rules.filter(r => r.added).length === 0) {
-      throw new Error('No rules were added');
-    }
-  }
-
-  /**
-   * Removes all added iptables rules
-   */
-  public async stop(): Promise<void> {
-    // Process rules in reverse order (LIFO)
-    for (let i = this.rules.length - 1; i >= 0; i--) {
-      const rule = this.rules[i];
-      
-      if (rule.added) {
-        try {
-          // Convert -A (add) to -D (delete)
-          const deleteCommand = rule.command.replace('-A', '-D');
-          await execAsync(deleteCommand);
-          this.log('info', `Removed rule: ${deleteCommand}`);
-          
-          rule.added = false;
-        } catch (err) {
-          this.log('error', `Failed to remove rule: ${err}`);
-        }
-      }
-    }
-    
-    // If we created a custom chain, we need to clean it up
-    if (this.customChain) {
-      try {
-        // First flush the chain
-        await execAsync(`iptables -t nat -F ${this.customChain}`);
-        this.log('info', `Flushed custom chain: ${this.customChain}`);
-        
-        // Then delete it
-        await execAsync(`iptables -t nat -X ${this.customChain}`);
-        this.log('info', `Deleted custom chain: ${this.customChain}`);
-        
-        // Same for IPv6 if enabled
-        if (this.settings.ipv6Support) {
-          try {
-            await execAsync(`ip6tables -t nat -F ${this.customChain}`);
-            await execAsync(`ip6tables -t nat -X ${this.customChain}`);
-            this.log('info', `Deleted IPv6 custom chain: ${this.customChain}`);
-          } catch (err) {
-            this.log('error', `Failed to delete IPv6 custom chain: ${err}`);
-          }
-        }
-      } catch (err) {
-        this.log('error', `Failed to delete custom chain: ${err}`);
-      }
-    }
-    
-    // Clear rules array
-    this.rules = [];
-  }
-
-  /**
-   * Synchronous version of stop, for use in exit handlers
-   */
-  public stopSync(): void {
-    // Process rules in reverse order (LIFO)
-    for (let i = this.rules.length - 1; i >= 0; i--) {
-      const rule = this.rules[i];
-      
-      if (rule.added) {
-        try {
-          // Convert -A (add) to -D (delete)
-          const deleteCommand = rule.command.replace('-A', '-D');
-          execSync(deleteCommand);
-          this.log('info', `Removed rule: ${deleteCommand}`);
-          
-          rule.added = false;
-        } catch (err) {
-          this.log('error', `Failed to remove rule: ${err}`);
-        }
-      }
-    }
-    
-    // If we created a custom chain, we need to clean it up
-    if (this.customChain) {
-      try {
-        // First flush the chain
-        execSync(`iptables -t nat -F ${this.customChain}`);
-        
-        // Then delete it
-        execSync(`iptables -t nat -X ${this.customChain}`);
-        this.log('info', `Deleted custom chain: ${this.customChain}`);
-        
-        // Same for IPv6 if enabled
-        if (this.settings.ipv6Support) {
-          try {
-            execSync(`ip6tables -t nat -F ${this.customChain}`);
-            execSync(`ip6tables -t nat -X ${this.customChain}`);
-          } catch (err) {
-            // IPv6 failures are non-critical
-          }
-        }
-      } catch (err) {
-        this.log('error', `Failed to delete custom chain: ${err}`);
-      }
-    }
-    
-    // Clear rules array
-    this.rules = [];
-  }
-
-  /**
-   * Asynchronously cleans up any iptables rules in the nat table that were added by this module.
-   * It looks for rules with comments containing "IPTablesProxy:".
-   */
-  public static async cleanSlate(): Promise<void> {
-    await IPTablesProxy.cleanSlateInternal();
-    
-    // Also clean IPv6 rules
-    await IPTablesProxy.cleanSlateInternal(true);
-  }
-  
-  /**
-   * Internal implementation of cleanSlate with IPv6 support
-   */
-  private static async cleanSlateInternal(isIpv6: boolean = false): Promise<void> {
-    const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
-    
-    try {
-      const { stdout } = await execAsync(`${iptablesCmd}-save -t nat`);
-      const lines = stdout.split('\n');
-      const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
-      
-      // First, find and remove any custom chains
-      const customChains = new Set<string>();
-      const jumpRules: string[] = [];
-      
-      for (const line of proxyLines) {
-        if (line.includes('IPTablesProxy:JUMP')) {
-          // Extract chain name from jump rule
-          const match = line.match(/\s+-j\s+(\S+)\s+/);
-          if (match && match[1].startsWith('IPTablesProxy_')) {
-            customChains.add(match[1]);
-            jumpRules.push(line);
-          }
-        }
-      }
-      
-      // Remove jump rules first
-      for (const line of jumpRules) {
-        const trimmedLine = line.trim();
-        if (trimmedLine.startsWith('-A')) {
-          // Replace the "-A" with "-D" to form a deletion command
-          const deleteRule = trimmedLine.replace('-A', '-D');
-          const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
-          try {
-            await execAsync(cmd);
-            console.log(`Cleaned up iptables jump rule: ${cmd}`);
-          } catch (err) {
-            console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
-          }
-        }
-      }
-      
-      // Then remove all other rules
-      for (const line of proxyLines) {
-        if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
-          const trimmedLine = line.trim();
-          if (trimmedLine.startsWith('-A')) {
-            // Replace the "-A" with "-D" to form a deletion command
-            const deleteRule = trimmedLine.replace('-A', '-D');
-            const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
-            try {
-              await execAsync(cmd);
-              console.log(`Cleaned up iptables rule: ${cmd}`);
-            } catch (err) {
-              console.error(`Failed to remove iptables rule: ${cmd}`, err);
-            }
-          }
-        }
-      }
-      
-      // Finally clean up custom chains
-      for (const chain of customChains) {
-        try {
-          // Flush the chain
-          await execAsync(`${iptablesCmd} -t nat -F ${chain}`);
-          console.log(`Flushed custom chain: ${chain}`);
-          
-          // Delete the chain
-          await execAsync(`${iptablesCmd} -t nat -X ${chain}`);
-          console.log(`Deleted custom chain: ${chain}`);
-        } catch (err) {
-          console.error(`Failed to delete custom chain ${chain}:`, err);
-        }
-      }
-    } catch (err) {
-      console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
-    }
-  }
-
-  /**
-   * Synchronously cleans up any iptables rules in the nat table that were added by this module.
-   * It looks for rules with comments containing "IPTablesProxy:".
-   * This method is intended for use in process exit handlers.
-   */
-  public static cleanSlateSync(): void {
-    IPTablesProxy.cleanSlateSyncInternal();
-    
-    // Also clean IPv6 rules
-    IPTablesProxy.cleanSlateSyncInternal(true);
-  }
-  
-  /**
-   * Internal implementation of cleanSlateSync with IPv6 support
-   */
-  private static cleanSlateSyncInternal(isIpv6: boolean = false): void {
-    const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
-    
-    try {
-      const stdout = execSync(`${iptablesCmd}-save -t nat`).toString();
-      const lines = stdout.split('\n');
-      const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
-      
-      // First, find and remove any custom chains
-      const customChains = new Set<string>();
-      const jumpRules: string[] = [];
-      
-      for (const line of proxyLines) {
-        if (line.includes('IPTablesProxy:JUMP')) {
-          // Extract chain name from jump rule
-          const match = line.match(/\s+-j\s+(\S+)\s+/);
-          if (match && match[1].startsWith('IPTablesProxy_')) {
-            customChains.add(match[1]);
-            jumpRules.push(line);
-          }
-        }
-      }
-      
-      // Remove jump rules first
-      for (const line of jumpRules) {
-        const trimmedLine = line.trim();
-        if (trimmedLine.startsWith('-A')) {
-          // Replace the "-A" with "-D" to form a deletion command
-          const deleteRule = trimmedLine.replace('-A', '-D');
-          const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
-          try {
-            execSync(cmd);
-            console.log(`Cleaned up iptables jump rule: ${cmd}`);
-          } catch (err) {
-            console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
-          }
-        }
-      }
-      
-      // Then remove all other rules
-      for (const line of proxyLines) {
-        if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
-          const trimmedLine = line.trim();
-          if (trimmedLine.startsWith('-A')) {
-            const deleteRule = trimmedLine.replace('-A', '-D');
-            const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
-            try {
-              execSync(cmd);
-              console.log(`Cleaned up iptables rule: ${cmd}`);
-            } catch (err) {
-              console.error(`Failed to remove iptables rule: ${cmd}`, err);
-            }
-          }
-        }
-      }
-      
-      // Finally clean up custom chains
-      for (const chain of customChains) {
-        try {
-          // Flush the chain
-          execSync(`${iptablesCmd} -t nat -F ${chain}`);
-          
-          // Delete the chain
-          execSync(`${iptablesCmd} -t nat -X ${chain}`);
-          console.log(`Deleted custom chain: ${chain}`);
-        } catch (err) {
-          console.error(`Failed to delete custom chain ${chain}:`, err);
-        }
-      }
-    } catch (err) {
-      console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
-    }
-  }
-  
-  /**
-   * Logging utility that respects the enableLogging setting
-   */
-  private log(level: 'info' | 'warn' | 'error', message: string): void {
-    if (!this.settings.enableLogging && level === 'info') {
-      return;
-    }
-    
-    const timestamp = new Date().toISOString();
-    
-    switch (level) {
-      case 'info':
-        console.log(`[${timestamp}] [INFO] ${message}`);
-        break;
-      case 'warn':
-        console.warn(`[${timestamp}] [WARN] ${message}`);
-        break;
-      case 'error':
-        console.error(`[${timestamp}] [ERROR] ${message}`);
-        break;
-    }
-  }
-}

ts/classes.networkproxy.ts

@@ -1,6 +1,6 @@
 import * as plugins from './plugins.js';
 import { ProxyRouter } from './classes.router.js';
-import { AcmeCertManager, CertManagerEvents } from './classes.port80handler.js';
+import { Port80Handler, Port80HandlerEvents, type IDomainOptions } from './classes.port80handler.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';
@@ -72,8 +72,8 @@ export class NetworkProxy {
   private defaultCertificates: { key: string; cert: string };
   private certificateCache: Map<string, { key: string; cert: string; expires?: Date }> = new Map();
   
-  // ACME certificate manager
-  private certManager: AcmeCertManager | null = null;
+  // Port80Handler for certificate management
+  private port80Handler: Port80Handler | null = null;
   private certificateStoreDir: string;
   
   // New connection pool for backend connections
@@ -375,16 +375,16 @@ export class NetworkProxy {
   }
 
   /**
-   * Initializes the ACME certificate manager for automatic certificate issuance
+   * Initializes the Port80Handler for ACME certificate management
    * @private
    */
-  private async initializeAcmeManager(): Promise<void> {
+  private async initializePort80Handler(): Promise<void> {
     if (!this.options.acme.enabled) {
       return;
     }
     
     // Create certificate manager
-    this.certManager = new AcmeCertManager({
+    this.port80Handler = new Port80Handler({
       port: this.options.acme.port,
       contactEmail: this.options.acme.contactEmail,
       useProduction: this.options.acme.useProduction,
@@ -394,32 +394,32 @@ export class NetworkProxy {
     });
     
     // Register event handlers
-    this.certManager.on(CertManagerEvents.CERTIFICATE_ISSUED, this.handleCertificateIssued.bind(this));
-    this.certManager.on(CertManagerEvents.CERTIFICATE_RENEWED, this.handleCertificateIssued.bind(this));
-    this.certManager.on(CertManagerEvents.CERTIFICATE_FAILED, this.handleCertificateFailed.bind(this));
-    this.certManager.on(CertManagerEvents.CERTIFICATE_EXPIRING, (data) => {
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, this.handleCertificateIssued.bind(this));
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, this.handleCertificateIssued.bind(this));
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, this.handleCertificateFailed.bind(this));
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_EXPIRING, (data) => {
       this.log('info', `Certificate for ${data.domain} expires in ${data.daysRemaining} days`);
     });
     
-    // Start the manager
+    // Start the handler
     try {
-      await this.certManager.start();
-      this.log('info', `ACME Certificate Manager started on port ${this.options.acme.port}`);
+      await this.port80Handler.start();
+      this.log('info', `Port80Handler started on port ${this.options.acme.port}`);
       
       // Add domains from proxy configs
-      this.registerDomainsWithAcmeManager();
+      this.registerDomainsWithPort80Handler();
     } catch (error) {
-      this.log('error', `Failed to start ACME Certificate Manager: ${error}`);
-      this.certManager = null;
+      this.log('error', `Failed to start Port80Handler: ${error}`);
+      this.port80Handler = null;
     }
   }
   
   /**
-   * Registers domains from proxy configs with the ACME manager
+   * Registers domains from proxy configs with the Port80Handler
    * @private
    */
-  private registerDomainsWithAcmeManager(): void {
-    if (!this.certManager) return;
+  private registerDomainsWithPort80Handler(): void {
+    if (!this.port80Handler) return;
     
     // Get all hostnames from proxy configs
     this.proxyConfigs.forEach(config => {
@@ -461,26 +461,32 @@ export class NetworkProxy {
             this.log('warn', `Failed to extract expiry date from certificate for ${hostname}`);
           }
           
-          // Update the certificate in the manager
-          this.certManager.setCertificate(hostname, cert, key, expiryDate);
+          // Update the certificate in the handler
+          this.port80Handler.setCertificate(hostname, cert, key, expiryDate);
           
           // Also update our own certificate cache
           this.updateCertificateCache(hostname, cert, key, expiryDate);
           
           this.log('info', `Loaded existing certificate for ${hostname}`);
         } else {
-          // Register the domain for certificate issuance
-          this.certManager.addDomain(hostname);
+          // Register the domain for certificate issuance with new domain options format
+          const domainOptions: IDomainOptions = {
+            domainName: hostname,
+            sslRedirect: true,
+            acmeMaintenance: true
+          };
+          
+          this.port80Handler.addDomain(domainOptions);
           this.log('info', `Registered domain for ACME certificate issuance: ${hostname}`);
         }
       } catch (error) {
-        this.log('error', `Error registering domain ${hostname} with ACME manager: ${error}`);
+        this.log('error', `Error registering domain ${hostname} with Port80Handler: ${error}`);
       }
     });
   }
   
   /**
-   * Handles newly issued or renewed certificates from ACME manager
+   * Handles newly issued or renewed certificates from Port80Handler
    * @private
    */
   private handleCertificateIssued(data: { domain: string; certificate: string; privateKey: string; expiryDate: Date }): void {
@@ -556,13 +562,21 @@ export class NetworkProxy {
     }
     
     // Check if we should trigger certificate issuance
-    if (this.options.acme?.enabled && this.certManager && !domain.includes('*')) {
+    if (this.options.acme?.enabled && this.port80Handler && !domain.includes('*')) {
       // Check if this domain is already registered
-      const certData = this.certManager.getCertificate(domain);
+      const certData = this.port80Handler.getCertificate(domain);
       
       if (!certData) {
         this.log('info', `No certificate found for ${domain}, registering for issuance`);
-        this.certManager.addDomain(domain);
+        
+        // Register with new domain options format
+        const domainOptions: IDomainOptions = {
+          domainName: domain,
+          sslRedirect: true,
+          acmeMaintenance: true
+        };
+        
+        this.port80Handler.addDomain(domainOptions);
       }
     }
     
@@ -587,9 +601,9 @@ export class NetworkProxy {
   public async start(): Promise<void> {
     this.startTime = Date.now();
     
-    // Initialize ACME certificate manager if enabled
+    // Initialize Port80Handler if enabled
     if (this.options.acme.enabled) {
-      await this.initializeAcmeManager();
+      await this.initializePort80Handler();
     }
     
     // Create the HTTPS server
@@ -1588,13 +1602,13 @@ export class NetworkProxy {
     }
     this.connectionPool.clear();
     
-    // Stop ACME certificate manager if it's running
-    if (this.certManager) {
+    // Stop Port80Handler if it's running
+    if (this.port80Handler) {
       try {
-        await this.certManager.stop();
-        this.log('info', 'ACME Certificate Manager stopped');
+        await this.port80Handler.stop();
+        this.log('info', 'Port80Handler stopped');
       } catch (error) {
-        this.log('error', 'Error stopping ACME Certificate Manager', error);
+        this.log('error', 'Error stopping Port80Handler', error);
       }
     }
     
@@ -1619,8 +1633,8 @@ export class NetworkProxy {
       return false;
     }
     
-    if (!this.certManager) {
-      this.log('error', 'ACME certificate manager is not initialized');
+    if (!this.port80Handler) {
+      this.log('error', 'Port80Handler is not initialized');
       return false;
     }
     
@@ -1631,7 +1645,14 @@ export class NetworkProxy {
     }
     
     try {
-      this.certManager.addDomain(domain);
+      // Use the new domain options format
+      const domainOptions: IDomainOptions = {
+        domainName: domain,
+        sslRedirect: true,
+        acmeMaintenance: true
+      };
+      
+      this.port80Handler.addDomain(domainOptions);
       this.log('info', `Certificate request submitted for domain: ${domain}`);
       return true;
     } catch (error) {

ts/classes.port80handler.ts

@@ -1,9 +1,58 @@
 import * as plugins from './plugins.js';
+import { IncomingMessage, ServerResponse } from 'http';
 
 /**
- * Represents a domain certificate with various status information
+ * Custom error classes for better error handling
+ */
+export class Port80HandlerError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'Port80HandlerError';
+  }
+}
+
+export class CertificateError extends Port80HandlerError {
+  constructor(
+    message: string,
+    public readonly domain: string,
+    public readonly isRenewal: boolean = false
+  ) {
+    super(`${message} for domain ${domain}${isRenewal ? ' (renewal)' : ''}`);
+    this.name = 'CertificateError';
+  }
+}
+
+export class ServerError extends Port80HandlerError {
+  constructor(message: string, public readonly code?: string) {
+    super(message);
+    this.name = 'ServerError';
+  }
+}
+
+/**
+ * Domain forwarding configuration
+ */
+export interface IForwardConfig {
+  ip: string;
+  port: number;
+}
+
+/**
+ * Domain configuration options
+ */
+export interface IDomainOptions {
+  domainName: string;
+  sslRedirect: boolean;   // if true redirects the request to port 443
+  acmeMaintenance: boolean; // tries to always have a valid cert for this domain
+  forward?: IForwardConfig; // forwards all http requests to that target
+  acmeForward?: IForwardConfig; // forwards letsencrypt requests to this config
+}
+
+/**
+ * Represents a domain configuration with certificate status information
  */
 interface IDomainCertificate {
+  options: IDomainOptions;
   certObtained: boolean;
   obtainingInProgress: boolean;
   certificate?: string;
@@ -15,9 +64,9 @@ interface IDomainCertificate {
 }
 
 /**
- * Configuration options for the ACME Certificate Manager
+ * Configuration options for the Port80Handler
  */
-interface IAcmeCertManagerOptions {
+interface IPort80HandlerOptions {
   port?: number;
   contactEmail?: string;
   useProduction?: boolean;
@@ -29,7 +78,7 @@ interface IAcmeCertManagerOptions {
 /**
  * Certificate data that can be emitted via events or set from outside
  */
-interface ICertificateData {
+export interface ICertificateData {
   domain: string;
   certificate: string;
   privateKey: string;
@@ -37,34 +86,54 @@ interface ICertificateData {
 }
 
 /**
- * Events emitted by the ACME Certificate Manager
+ * Events emitted by the Port80Handler
  */
-export enum CertManagerEvents {
+export enum Port80HandlerEvents {
   CERTIFICATE_ISSUED = 'certificate-issued',
   CERTIFICATE_RENEWED = 'certificate-renewed',
   CERTIFICATE_FAILED = 'certificate-failed',
   CERTIFICATE_EXPIRING = 'certificate-expiring',
   MANAGER_STARTED = 'manager-started',
   MANAGER_STOPPED = 'manager-stopped',
+  REQUEST_FORWARDED = 'request-forwarded',
 }
 
 /**
- * Improved ACME Certificate Manager with event emission and external certificate management
+ * Certificate failure payload type
  */
-export class AcmeCertManager extends plugins.EventEmitter {
+export interface ICertificateFailure {
+  domain: string;
+  error: string;
+  isRenewal: boolean;
+}
+
+/**
+ * Certificate expiry payload type
+ */
+export interface ICertificateExpiring {
+  domain: string;
+  expiryDate: Date;
+  daysRemaining: number;
+}
+
+/**
+ * Port80Handler with ACME certificate management and request forwarding capabilities
+ * Now with glob pattern support for domain matching
+ */
+export class Port80Handler extends plugins.EventEmitter {
   private domainCertificates: Map<string, IDomainCertificate>;
   private server: plugins.http.Server | null = null;
   private acmeClient: plugins.acme.Client | null = null;
   private accountKey: string | null = null;
   private renewalTimer: NodeJS.Timeout | null = null;
   private isShuttingDown: boolean = false;
-  private options: Required<IAcmeCertManagerOptions>;
+  private options: Required<IPort80HandlerOptions>;
 
   /**
-   * Creates a new ACME Certificate Manager
+   * Creates a new Port80Handler
    * @param options Configuration options
    */
-  constructor(options: IAcmeCertManagerOptions = {}) {
+  constructor(options: IPort80HandlerOptions = {}) {
     super();
     this.domainCertificates = new Map<string, IDomainCertificate>();
     
@@ -73,7 +142,7 @@ export class AcmeCertManager extends plugins.EventEmitter {
       port: options.port ?? 80,
       contactEmail: options.contactEmail ?? 'admin@example.com',
       useProduction: options.useProduction ?? false, // Safer default: staging
-      renewThresholdDays: options.renewThresholdDays ?? 30,
+      renewThresholdDays: options.renewThresholdDays ?? 10, // Changed to 10 days as per requirements
       httpsRedirectPort: options.httpsRedirectPort ?? 443,
       renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
     };
@@ -84,11 +153,11 @@ export class AcmeCertManager extends plugins.EventEmitter {
    */
   public async start(): Promise<void> {
     if (this.server) {
-      throw new Error('Server is already running');
+      throw new ServerError('Server is already running');
     }
     
     if (this.isShuttingDown) {
-      throw new Error('Server is shutting down');
+      throw new ServerError('Server is shutting down');
     }
 
     return new Promise((resolve, reject) => {
@@ -97,22 +166,39 @@ export class AcmeCertManager extends plugins.EventEmitter {
         
         this.server.on('error', (error: NodeJS.ErrnoException) => {
           if (error.code === 'EACCES') {
-            reject(new Error(`Permission denied to bind to port ${this.options.port}. Try running with elevated privileges or use a port > 1024.`));
+            reject(new ServerError(`Permission denied to bind to port ${this.options.port}. Try running with elevated privileges or use a port > 1024.`, error.code));
           } else if (error.code === 'EADDRINUSE') {
-            reject(new Error(`Port ${this.options.port} is already in use.`));
+            reject(new ServerError(`Port ${this.options.port} is already in use.`, error.code));
           } else {
-            reject(error);
+            reject(new ServerError(error.message, error.code));
           }
         });
         
         this.server.listen(this.options.port, () => {
-          console.log(`AcmeCertManager is listening on port ${this.options.port}`);
+          console.log(`Port80Handler is listening on port ${this.options.port}`);
           this.startRenewalTimer();
-          this.emit(CertManagerEvents.MANAGER_STARTED, this.options.port);
+          this.emit(Port80HandlerEvents.MANAGER_STARTED, this.options.port);
+          
+          // Start certificate process for domains with acmeMaintenance enabled
+          for (const [domain, domainInfo] of this.domainCertificates.entries()) {
+            // Skip glob patterns for certificate issuance
+            if (this.isGlobPattern(domain)) {
+              console.log(`Skipping initial certificate for glob pattern: ${domain}`);
+              continue;
+            }
+            
+            if (domainInfo.options.acmeMaintenance && !domainInfo.certObtained && !domainInfo.obtainingInProgress) {
+              this.obtainCertificate(domain).catch(err => {
+                console.error(`Error obtaining initial certificate for ${domain}:`, err);
+              });
+            }
+          }
+          
           resolve();
         });
       } catch (error) {
-        reject(error);
+        const message = error instanceof Error ? error.message : 'Unknown error starting server';
+        reject(new ServerError(message));
       }
     });
   }
@@ -138,7 +224,7 @@ export class AcmeCertManager extends plugins.EventEmitter {
         this.server.close(() => {
           this.server = null;
           this.isShuttingDown = false;
-          this.emit(CertManagerEvents.MANAGER_STOPPED);
+          this.emit(Port80HandlerEvents.MANAGER_STOPPED);
           resolve();
         });
       } else {
@@ -149,13 +235,41 @@ export class AcmeCertManager extends plugins.EventEmitter {
   }
 
   /**
-   * Adds a domain to be managed for certificates
-   * @param domain The domain to add
+   * Adds a domain with configuration options
+   * @param options Domain configuration options
    */
-  public addDomain(domain: string): void {
-    if (!this.domainCertificates.has(domain)) {
-      this.domainCertificates.set(domain, { certObtained: false, obtainingInProgress: false });
-      console.log(`Domain added: ${domain}`);
+  public addDomain(options: IDomainOptions): void {
+    if (!options.domainName || typeof options.domainName !== 'string') {
+      throw new Port80HandlerError('Invalid domain name');
+    }
+    
+    const domainName = options.domainName;
+    
+    if (!this.domainCertificates.has(domainName)) {
+      this.domainCertificates.set(domainName, {
+        options,
+        certObtained: false,
+        obtainingInProgress: false
+      });
+      
+      console.log(`Domain added: ${domainName} with configuration:`, {
+        sslRedirect: options.sslRedirect,
+        acmeMaintenance: options.acmeMaintenance,
+        hasForward: !!options.forward,
+        hasAcmeForward: !!options.acmeForward
+      });
+      
+      // If acmeMaintenance is enabled and not a glob pattern, start certificate process immediately
+      if (options.acmeMaintenance && this.server && !this.isGlobPattern(domainName)) {
+        this.obtainCertificate(domainName).catch(err => {
+          console.error(`Error obtaining initial certificate for ${domainName}:`, err);
+        });
+      }
+    } else {
+      // Update existing domain with new options
+      const existing = this.domainCertificates.get(domainName)!;
+      existing.options = options;
+      console.log(`Domain ${domainName} configuration updated`);
     }
   }
 
@@ -177,10 +291,30 @@ export class AcmeCertManager extends plugins.EventEmitter {
    * @param expiryDate Optional expiry date
    */
   public setCertificate(domain: string, certificate: string, privateKey: string, expiryDate?: Date): void {
+    if (!domain || !certificate || !privateKey) {
+      throw new Port80HandlerError('Domain, certificate and privateKey are required');
+    }
+    
+    // Don't allow setting certificates for glob patterns
+    if (this.isGlobPattern(domain)) {
+      throw new Port80HandlerError('Cannot set certificate for glob pattern domains');
+    }
+    
     let domainInfo = this.domainCertificates.get(domain);
     
     if (!domainInfo) {
-      domainInfo = { certObtained: false, obtainingInProgress: false };
+      // Create default domain options if not already configured
+      const defaultOptions: IDomainOptions = {
+        domainName: domain,
+        sslRedirect: true,
+        acmeMaintenance: true
+      };
+      
+      domainInfo = { 
+        options: defaultOptions, 
+        certObtained: false, 
+        obtainingInProgress: false 
+      };
       this.domainCertificates.set(domain, domainInfo);
     }
     
@@ -192,27 +326,18 @@ export class AcmeCertManager extends plugins.EventEmitter {
     if (expiryDate) {
       domainInfo.expiryDate = expiryDate;
     } else {
-      // Try to extract expiry date from certificate
-      try {
-        // This is a simplistic approach - in a real implementation, use a proper
-        // certificate parsing library like node-forge or x509
-        const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
-        if (matches && matches[1]) {
-          domainInfo.expiryDate = new Date(matches[1]);
-        }
-      } catch (error) {
-        console.warn(`Failed to extract expiry date from certificate for ${domain}`);
-      }
+      // Extract expiry date from certificate
+      domainInfo.expiryDate = this.extractExpiryDateFromCertificate(certificate, domain);
     }
     
     console.log(`Certificate set for ${domain}`);
     
     // Emit certificate event
-    this.emitCertificateEvent(CertManagerEvents.CERTIFICATE_ISSUED, {
+    this.emitCertificateEvent(Port80HandlerEvents.CERTIFICATE_ISSUED, {
       domain,
       certificate,
       privateKey,
-      expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default
+      expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate()
     });
   }
   
@@ -221,6 +346,11 @@ export class AcmeCertManager extends plugins.EventEmitter {
    * @param domain The domain to get the certificate for
    */
   public getCertificate(domain: string): ICertificateData | null {
+    // Can't get certificates for glob patterns
+    if (this.isGlobPattern(domain)) {
+      return null;
+    }
+    
     const domainInfo = this.domainCertificates.get(domain);
     
     if (!domainInfo || !domainInfo.certObtained || !domainInfo.certificate || !domainInfo.privateKey) {
@@ -231,10 +361,69 @@ export class AcmeCertManager extends plugins.EventEmitter {
       domain,
       certificate: domainInfo.certificate,
       privateKey: domainInfo.privateKey,
-      expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default
+      expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate()
     };
   }
 
+  /**
+   * Check if a domain is a glob pattern
+   * @param domain Domain to check
+   * @returns True if the domain is a glob pattern
+   */
+  private isGlobPattern(domain: string): boolean {
+    return domain.includes('*');
+  }
+  
+  /**
+   * Get domain info for a specific domain, using glob pattern matching if needed
+   * @param requestDomain The actual domain from the request
+   * @returns The domain info or null if not found
+   */
+  private getDomainInfoForRequest(requestDomain: string): { domainInfo: IDomainCertificate, pattern: string } | null {
+    // Try direct match first
+    if (this.domainCertificates.has(requestDomain)) {
+      return {
+        domainInfo: this.domainCertificates.get(requestDomain)!,
+        pattern: requestDomain
+      };
+    }
+    
+    // Then try glob patterns
+    for (const [pattern, domainInfo] of this.domainCertificates.entries()) {
+      if (this.isGlobPattern(pattern) && this.domainMatchesPattern(requestDomain, pattern)) {
+        return { domainInfo, pattern };
+      }
+    }
+    
+    return null;
+  }
+  
+  /**
+   * Check if a domain matches a glob pattern
+   * @param domain The domain to check
+   * @param pattern The pattern to match against
+   * @returns True if the domain matches the pattern
+   */
+  private domainMatchesPattern(domain: string, pattern: string): boolean {
+    // Handle different glob pattern styles
+    if (pattern.startsWith('*.')) {
+      // *.example.com matches any subdomain
+      const suffix = pattern.substring(2);
+      return domain.endsWith(suffix) && domain.includes('.') && domain !== suffix;
+    } else if (pattern.endsWith('.*')) {
+      // example.* matches any TLD
+      const prefix = pattern.substring(0, pattern.length - 2);
+      const domainParts = domain.split('.');
+      return domain.startsWith(prefix + '.') && domainParts.length >= 2;
+    } else if (pattern === '*') {
+      // Wildcard matches everything
+      return true;
+    } else {
+      // Exact match (shouldn't reach here as we check exact matches first)
+      return domain === pattern;
+    }
+  }
+
   /**
    * Lazy initialization of the ACME client
    * @returns An ACME client instance
@@ -244,23 +433,28 @@ export class AcmeCertManager extends plugins.EventEmitter {
       return this.acmeClient;
     }
     
-    // Generate a new account key
-    this.accountKey = (await plugins.acme.forge.createPrivateKey()).toString();
-    
-    this.acmeClient = new plugins.acme.Client({
-      directoryUrl: this.options.useProduction 
-        ? plugins.acme.directory.letsencrypt.production 
-        : plugins.acme.directory.letsencrypt.staging,
-      accountKey: this.accountKey,
-    });
-    
-    // Create a new account
-    await this.acmeClient.createAccount({
-      termsOfServiceAgreed: true,
-      contact: [`mailto:${this.options.contactEmail}`],
-    });
-    
-    return this.acmeClient;
+    try {
+      // Generate a new account key
+      this.accountKey = (await plugins.acme.forge.createPrivateKey()).toString();
+      
+      this.acmeClient = new plugins.acme.Client({
+        directoryUrl: this.options.useProduction 
+          ? plugins.acme.directory.letsencrypt.production 
+          : plugins.acme.directory.letsencrypt.staging,
+        accountKey: this.accountKey,
+      });
+      
+      // Create a new account
+      await this.acmeClient.createAccount({
+        termsOfServiceAgreed: true,
+        contact: [`mailto:${this.options.contactEmail}`],
+      });
+      
+      return this.acmeClient;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'Unknown error initializing ACME client';
+      throw new Port80HandlerError(`Failed to initialize ACME client: ${message}`);
+    }
   }
 
   /**
@@ -279,22 +473,42 @@ export class AcmeCertManager extends plugins.EventEmitter {
     // Extract domain (ignoring any port in the Host header)
     const domain = hostHeader.split(':')[0];
 
-    // If the request is for an ACME HTTP-01 challenge, handle it
-    if (req.url && req.url.startsWith('/.well-known/acme-challenge/')) {
-      this.handleAcmeChallenge(req, res, domain);
-      return;
-    }
-
-    if (!this.domainCertificates.has(domain)) {
+    // Get domain config, using glob pattern matching if needed
+    const domainMatch = this.getDomainInfoForRequest(domain);
+    
+    if (!domainMatch) {
       res.statusCode = 404;
       res.end('Domain not configured');
       return;
     }
 
-    const domainInfo = this.domainCertificates.get(domain)!;
+    const { domainInfo, pattern } = domainMatch;
+    const options = domainInfo.options;
 
-    // If certificate exists, redirect to HTTPS
-    if (domainInfo.certObtained) {
+    // If the request is for an ACME HTTP-01 challenge, handle it
+    if (req.url && req.url.startsWith('/.well-known/acme-challenge/') && (options.acmeMaintenance || options.acmeForward)) {
+      // Check if we should forward ACME requests
+      if (options.acmeForward) {
+        this.forwardRequest(req, res, options.acmeForward, 'ACME challenge');
+        return;
+      }
+      
+      // Only handle ACME challenges for non-glob patterns
+      if (!this.isGlobPattern(pattern)) {
+        this.handleAcmeChallenge(req, res, domain);
+        return;
+      }
+    }
+
+    // Check if we should forward non-ACME requests
+    if (options.forward) {
+      this.forwardRequest(req, res, options.forward, 'HTTP');
+      return;
+    }
+
+    // If certificate exists and sslRedirect is enabled, redirect to HTTPS
+    // (Skip for glob patterns as they won't have certificates)
+    if (!this.isGlobPattern(pattern) && domainInfo.certObtained && options.sslRedirect) {
       const httpsPort = this.options.httpsRedirectPort;
       const portSuffix = httpsPort === 443 ? '' : `:${httpsPort}`;
       const redirectUrl = `https://${domain}${portSuffix}${req.url || '/'}`;
@@ -302,17 +516,94 @@ export class AcmeCertManager extends plugins.EventEmitter {
       res.statusCode = 301;
       res.setHeader('Location', redirectUrl);
       res.end(`Redirecting to ${redirectUrl}`);
-    } else {
+      return;
+    }
+    
+    // Handle case where certificate maintenance is enabled but not yet obtained
+    // (Skip for glob patterns as they can't have certificates)
+    if (!this.isGlobPattern(pattern) && options.acmeMaintenance && !domainInfo.certObtained) {
       // Trigger certificate issuance if not already running
       if (!domainInfo.obtainingInProgress) {
         this.obtainCertificate(domain).catch(err => {
-          this.emit(CertManagerEvents.CERTIFICATE_FAILED, { domain, error: err.message });
+          const errorMessage = err instanceof Error ? err.message : 'Unknown error';
+          this.emit(Port80HandlerEvents.CERTIFICATE_FAILED, {
+            domain,
+            error: errorMessage,
+            isRenewal: false
+          });
           console.error(`Error obtaining certificate for ${domain}:`, err);
         });
       }
       
       res.statusCode = 503;
       res.end('Certificate issuance in progress, please try again later.');
+      return;
+    }
+    
+    // Default response for unhandled request
+    res.statusCode = 404;
+    res.end('No handlers configured for this request');
+  }
+  
+  /**
+   * Forwards an HTTP request to the specified target
+   * @param req The original request
+   * @param res The response object
+   * @param target The forwarding target (IP and port)
+   * @param requestType Type of request for logging
+   */
+  private forwardRequest(
+    req: plugins.http.IncomingMessage, 
+    res: plugins.http.ServerResponse,
+    target: IForwardConfig,
+    requestType: string
+  ): void {
+    const options = {
+      hostname: target.ip,
+      port: target.port,
+      path: req.url,
+      method: req.method,
+      headers: { ...req.headers }
+    };
+    
+    const domain = req.headers.host?.split(':')[0] || 'unknown';
+    console.log(`Forwarding ${requestType} request for ${domain} to ${target.ip}:${target.port}`);
+    
+    const proxyReq = plugins.http.request(options, (proxyRes) => {
+      // Copy status code
+      res.statusCode = proxyRes.statusCode || 500;
+      
+      // Copy headers
+      for (const [key, value] of Object.entries(proxyRes.headers)) {
+        if (value) res.setHeader(key, value);
+      }
+      
+      // Pipe response data
+      proxyRes.pipe(res);
+      
+      this.emit(Port80HandlerEvents.REQUEST_FORWARDED, {
+        domain,
+        requestType,
+        target: `${target.ip}:${target.port}`,
+        statusCode: proxyRes.statusCode
+      });
+    });
+    
+    proxyReq.on('error', (error) => {
+      console.error(`Error forwarding request to ${target.ip}:${target.port}:`, error);
+      if (!res.headersSent) {
+        res.statusCode = 502;
+        res.end(`Proxy error: ${error.message}`);
+      } else {
+        res.end();
+      }
+    });
+    
+    // Pipe original request to proxy request
+    if (req.readable) {
+      req.pipe(proxyReq);
+    } else {
+      proxyReq.end();
     }
   }
 
@@ -351,10 +642,21 @@ export class AcmeCertManager extends plugins.EventEmitter {
    * @param isRenewal Whether this is a renewal attempt
    */
   private async obtainCertificate(domain: string, isRenewal: boolean = false): Promise<void> {
+    // Don't allow certificate issuance for glob patterns
+    if (this.isGlobPattern(domain)) {
+      throw new CertificateError('Cannot obtain certificates for glob pattern domains', domain, isRenewal);
+    }
+    
     // Get the domain info
     const domainInfo = this.domainCertificates.get(domain);
     if (!domainInfo) {
-      throw new Error(`Domain not found: ${domain}`);
+      throw new CertificateError('Domain not found', domain, isRenewal);
+    }
+    
+    // Verify that acmeMaintenance is enabled
+    if (!domainInfo.options.acmeMaintenance) {
+      console.log(`Skipping certificate issuance for ${domain} - acmeMaintenance is disabled`);
+      return;
     }
     
     // Prevent concurrent certificate issuance
@@ -377,40 +679,8 @@ export class AcmeCertManager extends plugins.EventEmitter {
       // Get the authorizations for the order
       const authorizations = await client.getAuthorizations(order);
       
-      for (const authz of authorizations) {
-        const challenge = authz.challenges.find(ch => ch.type === 'http-01');
-        if (!challenge) {
-          throw new Error('HTTP-01 challenge not found');
-        }
-        
-        // Get the key authorization for the challenge
-        const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
-        
-        // Store the challenge data
-        domainInfo.challengeToken = challenge.token;
-        domainInfo.challengeKeyAuthorization = keyAuthorization;
-
-        // ACME client type definition workaround - use compatible approach
-        // First check if challenge verification is needed
-        const authzUrl = authz.url;
-        
-        try {
-          // Check if authzUrl exists and perform verification
-          if (authzUrl) {
-            await client.verifyChallenge(authz, challenge);
-          }
-          
-          // Complete the challenge
-          await client.completeChallenge(challenge);
-          
-          // Wait for validation
-          await client.waitForValidStatus(challenge);
-          console.log(`HTTP-01 challenge completed for ${domain}`);
-        } catch (error) {
-          console.error(`Challenge error for ${domain}:`, error);
-          throw error;
-        }
-      }
+      // Process each authorization
+      await this.processAuthorizations(client, domain, authorizations);
 
       // Generate a CSR and private key
       const [csrBuffer, privateKeyBuffer] = await plugins.acme.forge.createCsr({
@@ -436,28 +706,20 @@ export class AcmeCertManager extends plugins.EventEmitter {
       delete domainInfo.challengeKeyAuthorization;
       
       // Extract expiry date from certificate
-      try {
-        const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
-        if (matches && matches[1]) {
-          domainInfo.expiryDate = new Date(matches[1]);
-          console.log(`Certificate for ${domain} will expire on ${domainInfo.expiryDate.toISOString()}`);
-        }
-      } catch (error) {
-        console.warn(`Failed to extract expiry date from certificate for ${domain}`);
-      }
+      domainInfo.expiryDate = this.extractExpiryDateFromCertificate(certificate, domain);
 
       console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`);
       
       // Emit the appropriate event
       const eventType = isRenewal 
-        ? CertManagerEvents.CERTIFICATE_RENEWED 
-        : CertManagerEvents.CERTIFICATE_ISSUED;
+        ? Port80HandlerEvents.CERTIFICATE_RENEWED 
+        : Port80HandlerEvents.CERTIFICATE_ISSUED;
       
       this.emitCertificateEvent(eventType, {
         domain,
         certificate,
         privateKey,
-        expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default
+        expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate()
       });
       
     } catch (error: any) {
@@ -473,17 +735,76 @@ export class AcmeCertManager extends plugins.EventEmitter {
       }
       
       // Emit failure event
-      this.emit(CertManagerEvents.CERTIFICATE_FAILED, {
+      this.emit(Port80HandlerEvents.CERTIFICATE_FAILED, {
         domain,
         error: error.message || 'Unknown error',
         isRenewal
-      });
+      } as ICertificateFailure);
+      
+      throw new CertificateError(
+        error.message || 'Certificate issuance failed',
+        domain,
+        isRenewal
+      );
     } finally {
       // Reset flag whether successful or not
       domainInfo.obtainingInProgress = false;
     }
   }
 
+  /**
+   * Process ACME authorizations by verifying and completing challenges
+   * @param client ACME client 
+   * @param domain Domain name
+   * @param authorizations Authorizations to process
+   */
+  private async processAuthorizations(
+    client: plugins.acme.Client,
+    domain: string,
+    authorizations: plugins.acme.Authorization[]
+  ): Promise<void> {
+    const domainInfo = this.domainCertificates.get(domain);
+    if (!domainInfo) {
+      throw new CertificateError('Domain not found during authorization', domain);
+    }
+    
+    for (const authz of authorizations) {
+      const challenge = authz.challenges.find(ch => ch.type === 'http-01');
+      if (!challenge) {
+        throw new CertificateError('HTTP-01 challenge not found', domain);
+      }
+      
+      // Get the key authorization for the challenge
+      const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
+      
+      // Store the challenge data
+      domainInfo.challengeToken = challenge.token;
+      domainInfo.challengeKeyAuthorization = keyAuthorization;
+
+      // ACME client type definition workaround - use compatible approach
+      // First check if challenge verification is needed
+      const authzUrl = authz.url;
+      
+      try {
+        // Check if authzUrl exists and perform verification
+        if (authzUrl) {
+          await client.verifyChallenge(authz, challenge);
+        }
+        
+        // Complete the challenge
+        await client.completeChallenge(challenge);
+        
+        // Wait for validation
+        await client.waitForValidStatus(challenge);
+        console.log(`HTTP-01 challenge completed for ${domain}`);
+      } catch (error) {
+        const errorMessage = error instanceof Error ? error.message : 'Unknown challenge error';
+        console.error(`Challenge error for ${domain}:`, error);
+        throw new CertificateError(`Challenge verification failed: ${errorMessage}`, domain);
+      }
+    }
+  }
+
   /**
    * Starts the certificate renewal timer
    */
@@ -519,6 +840,16 @@ export class AcmeCertManager extends plugins.EventEmitter {
     const renewThresholdMs = this.options.renewThresholdDays * 24 * 60 * 60 * 1000;
     
     for (const [domain, domainInfo] of this.domainCertificates.entries()) {
+      // Skip glob patterns
+      if (this.isGlobPattern(domain)) {
+        continue;
+      }
+      
+      // Skip domains with acmeMaintenance disabled
+      if (!domainInfo.options.acmeMaintenance) {
+        continue;
+      }
+      
       // Skip domains without certificates or already in renewal
       if (!domainInfo.certObtained || domainInfo.obtainingInProgress) {
         continue;
@@ -534,26 +865,67 @@ export class AcmeCertManager extends plugins.EventEmitter {
       // Check if certificate is near expiry
       if (timeUntilExpiry <= renewThresholdMs) {
         console.log(`Certificate for ${domain} expires soon, renewing...`);
-        this.emit(CertManagerEvents.CERTIFICATE_EXPIRING, {
+        
+        const daysRemaining = Math.ceil(timeUntilExpiry / (24 * 60 * 60 * 1000));
+        
+        this.emit(Port80HandlerEvents.CERTIFICATE_EXPIRING, {
           domain,
           expiryDate: domainInfo.expiryDate,
-          daysRemaining: Math.ceil(timeUntilExpiry / (24 * 60 * 60 * 1000))
-        });
+          daysRemaining
+        } as ICertificateExpiring);
         
         // Start renewal process
         this.obtainCertificate(domain, true).catch(err => {
-          console.error(`Error renewing certificate for ${domain}:`, err);
+          const errorMessage = err instanceof Error ? err.message : 'Unknown error';
+          console.error(`Error renewing certificate for ${domain}:`, errorMessage);
         });
       }
     }
   }
   
+  /**
+   * Extract expiry date from certificate using a more robust approach
+   * @param certificate Certificate PEM string
+   * @param domain Domain for logging
+   * @returns Extracted expiry date or default
+   */
+  private extractExpiryDateFromCertificate(certificate: string, domain: string): Date {
+    try {
+      // This is still using regex, but in a real implementation you would use
+      // a library like node-forge or x509 to properly parse the certificate
+      const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
+      if (matches && matches[1]) {
+        const expiryDate = new Date(matches[1]);
+        
+        // Validate that we got a valid date
+        if (!isNaN(expiryDate.getTime())) {
+          console.log(`Certificate for ${domain} will expire on ${expiryDate.toISOString()}`);
+          return expiryDate;
+        }
+      }
+      
+      console.warn(`Could not extract valid expiry date from certificate for ${domain}, using default`);
+      return this.getDefaultExpiryDate();
+    } catch (error) {
+      console.warn(`Failed to extract expiry date from certificate for ${domain}, using default`);
+      return this.getDefaultExpiryDate();
+    }
+  }
+  
+  /**
+   * Get a default expiry date (90 days from now)
+   * @returns Default expiry date
+   */
+  private getDefaultExpiryDate(): Date {
+    return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000); // 90 days default
+  }
+  
   /**
    * Emits a certificate event with the certificate data
    * @param eventType The event type to emit
    * @param data The certificate data
    */
-  private emitCertificateEvent(eventType: CertManagerEvents, data: ICertificateData): void {
+  private emitCertificateEvent(eventType: Port80HandlerEvents, data: ICertificateData): void {
     this.emit(eventType, data);
   }
 }

ts/classes.pp.connectionhandler.ts

@@ -593,13 +593,7 @@ export class ConnectionHandler {
               
               // Function to handle the clean socket termination - but more gradually
               const finishConnection = () => {
-                // Give Chrome more time to process the alert before closing
-                // We won't call destroy() at all - just end() and let the socket close naturally
-
-                // Log the cleanup but wait for natural closure
-                setTimeout(() => {
-                  this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
-                }, 1000); // Longer delay to let socket cleanup happen naturally
+                this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
               };
               
               if (writeSuccessful) {

ts/index.ts

@@ -1,6 +1,7 @@
-export * from './classes.iptablesproxy.js';
+export * from './classes.nftablesproxy.js';
 export * from './classes.networkproxy.js';
-export * from './classes.pp.portproxy.js';
 export * from './classes.port80handler.js';
 export * from './classes.sslredirect.js';
+export * from './classes.pp.portproxy.js';
 export * from './classes.pp.snihandler.js';
+export * from './classes.pp.interfaces.js';