npm - @push.rocks/smartproxy - Versions diffs - 13.1.2 → 15.0.0 - Mend

@push.rocks/smartproxy 13.1.2 → 15.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/dist_ts/00_commitinfo_data.js +3 -3
package/dist_ts/proxies/smart-proxy/index.d.ts +5 -3
package/dist_ts/proxies/smart-proxy/index.js +9 -5
package/dist_ts/proxies/smart-proxy/models/index.d.ts +2 -0
package/dist_ts/proxies/smart-proxy/models/index.js +2 -1
package/dist_ts/proxies/smart-proxy/models/interfaces.d.ts +82 -15
package/dist_ts/proxies/smart-proxy/models/interfaces.js +10 -1
package/dist_ts/proxies/smart-proxy/models/route-types.d.ts +133 -0
package/dist_ts/proxies/smart-proxy/models/route-types.js +2 -0
package/dist_ts/proxies/smart-proxy/route-connection-handler.d.ts +55 -0
package/dist_ts/proxies/smart-proxy/route-connection-handler.js +804 -0
package/dist_ts/proxies/smart-proxy/route-helpers.d.ts +127 -0
package/dist_ts/proxies/smart-proxy/route-helpers.js +196 -0
package/dist_ts/proxies/smart-proxy/route-manager.d.ts +103 -0
package/dist_ts/proxies/smart-proxy/route-manager.js +483 -0
package/dist_ts/proxies/smart-proxy/smart-proxy.d.ts +19 -8
package/dist_ts/proxies/smart-proxy/smart-proxy.js +239 -46
package/package.json +2 -2
package/readme.md +863 -423
package/readme.plan.md +311 -250
package/ts/00_commitinfo_data.ts +2 -2
package/ts/proxies/smart-proxy/index.ts +20 -4
package/ts/proxies/smart-proxy/models/index.ts +4 -0
package/ts/proxies/smart-proxy/models/interfaces.ts +91 -13
package/ts/proxies/smart-proxy/models/route-types.ts +184 -0
package/ts/proxies/smart-proxy/route-connection-handler.ts +1117 -0
package/ts/proxies/smart-proxy/route-helpers.ts +344 -0
package/ts/proxies/smart-proxy/route-manager.ts +587 -0
package/ts/proxies/smart-proxy/smart-proxy.ts +300 -69

package/readme.md CHANGED Viewed

@@ -1,16 +1,17 @@
 # @push.rocks/smartproxy
-A high-performance proxy toolkit for Node.js, offering:
-- HTTP/HTTPS reverse proxy with TLS termination and WebSocket support
-- Automatic ACME certificate management (HTTP-01)
-- Low-level port forwarding via nftables
-- HTTP-to-HTTPS and custom URL redirects
-- Advanced TCP/SNI-based proxying with IP filtering and rules
-- Unified forwarding configuration system for all proxy types
+A unified high-performance proxy toolkit for Node.js, with **SmartProxy** as the central API to handle all your proxy needs:
+- **Unified Route-Based Configuration**: Match/action pattern for clean, consistent traffic routing
+- **SSL/TLS Support**: Automatic HTTPS with Let's Encrypt certificate provisioning
+- **Flexible Matching Patterns**: Route by port, domain, path, client IP, and TLS version
+- **Advanced SNI Handling**: Smart TCP/SNI-based forwarding with IP filtering
+- **Multiple Action Types**: Forward (with TLS modes), redirect, or block traffic
+- **Security Features**: IP allowlists, connection limits, timeouts, and more
 ## Project Architecture Overview
-SmartProxy has been restructured using a modern, modular architecture to improve maintainability and clarity:
+SmartProxy has been restructured using a modern, modular architecture with a unified route-based configuration system in v14.0.0:
 ```
 /ts
@@ -28,19 +29,17 @@ SmartProxy has been restructured using a modern, modular architecture to improve
 │   │   ├── http-handler.ts   # HTTP-only handler
 │   │   └── ...               # Other handlers
 │   ├── /config               # Configuration models
-│   │   ├── forwarding-types.ts     # Type definitions
-│   │   ├── domain-config.ts        # Domain config utilities
-│   │   └── domain-manager.ts       # Domain routing manager
 │   └── /factory              # Factory for creating handlers
 ├── /proxies                  # Different proxy implementations
 │   ├── /smart-proxy          # SmartProxy implementation
 │   │   ├── /models           # SmartProxy-specific interfaces
+│   │   │   ├── route-types.ts # Route-based configuration types
+│   │   │   └── interfaces.ts  # SmartProxy interfaces
+│   │   ├── route-helpers.ts  # Helper functions for creating routes
+│   │   ├── route-manager.ts  # Route management system
 │   │   ├── smart-proxy.ts    # Main SmartProxy class
 │   │   └── ...               # Supporting classes
 │   ├── /network-proxy        # NetworkProxy implementation
-│   │   ├── /models           # NetworkProxy-specific interfaces
-│   │   ├── network-proxy.ts  # Main NetworkProxy class
-│   │   └── ...               # Supporting classes
 │   └── /nftables-proxy       # NfTablesProxy implementation
 ├── /tls                      # TLS-specific functionality
 │   ├── /sni                  # SNI handling components
@@ -51,34 +50,54 @@ SmartProxy has been restructured using a modern, modular architecture to improve
     └── /redirects            # Redirect handlers
 ```
-## Exports
-The following classes and interfaces are provided:
+## Main Components
+### Primary API (Recommended)
+- **SmartProxy** (`ts/proxies/smart-proxy/smart-proxy.ts`)
+  The central unified API for all proxy needs, featuring:
+  - Route-based configuration with match/action pattern
+  - Flexible matching criteria (ports, domains, paths, client IPs)
+  - Multiple action types (forward, redirect, block)
+  - Automatic certificate management
+  - Advanced security controls
+### Helper Functions
+- **createRoute**, **createHttpRoute**, **createHttpsRoute**, **createPassthroughRoute**
+  Helper functions to create different route configurations with clean syntax
+- **createRedirectRoute**, **createHttpToHttpsRedirect**, **createBlockRoute**
+  Helper functions for common redirect and security configurations
+- **createLoadBalancerRoute**, **createHttpsServer**
+  Helper functions for complex configurations
+### Specialized Components
 - **NetworkProxy** (`ts/proxies/network-proxy/network-proxy.ts`)
-  HTTP/HTTPS reverse proxy with TLS termination, WebSocket support,
-  connection pooling, and optional ACME integration.
+  HTTP/HTTPS reverse proxy with TLS termination and WebSocket support
 - **Port80Handler** (`ts/http/port80/port80-handler.ts`)
-  ACME HTTP-01 challenge handler and certificate manager.
+  ACME HTTP-01 challenge handler for Let's Encrypt certificates
 - **NfTablesProxy** (`ts/proxies/nftables-proxy/nftables-proxy.ts`)
-  Low-level port forwarding using nftables NAT rules.
+  Low-level port forwarding using nftables NAT rules
 - **Redirect**, **SslRedirect** (`ts/http/redirects/redirect-handler.ts`)
-  HTTP/HTTPS redirect server and shortcut for HTTP→HTTPS.
-- **SmartProxy** (`ts/proxies/smart-proxy/smart-proxy.ts`)
-  TCP/SNI-based proxy with dynamic routing, IP filtering, and unified certificates.
+  HTTP-to-HTTPS redirects with customizable rules
 - **SniHandler** (`ts/tls/sni/sni-handler.ts`)
-  Static utilities to extract SNI hostnames from TLS handshakes.
-- **Forwarding Handlers** (`ts/forwarding/handlers/*.ts`)
-  Unified forwarding handlers for different connection types (HTTP, HTTPS passthrough, TLS termination).
-- **Core Utilities**
-  - **ValidationUtils** (`ts/core/utils/validation-utils.ts`) for domain, port, and configuration validation
-  - **IpUtils** (`ts/core/utils/ip-utils.ts`) for IP address validation and filtering
-- **Interfaces and Types**
-  - `ISmartProxyOptions`, `IDomainConfig` (`ts/proxies/smart-proxy/models/interfaces.ts`)
-  - `INetworkProxyOptions` (`ts/proxies/network-proxy/models/types.ts`)
-  - `IAcmeOptions`, `IDomainOptions` (`ts/certificate/models/certificate-types.ts`)
-  - `INfTableProxySettings` (`ts/proxies/nftables-proxy/models/interfaces.ts`)
-  - `IForwardConfig`, `TForwardingType` (`ts/forwarding/config/forwarding-types.ts`)
+  Utilities for SNI extraction from TLS handshakes
+### Core Utilities
+- **ValidationUtils** (`ts/core/utils/validation-utils.ts`)
+  Domain, port, and configuration validation
+- **IpUtils** (`ts/core/utils/ip-utils.ts`)
+  IP address validation and filtering with glob patterns
+### Interfaces and Types
+- `IRouteConfig`, `IRouteMatch`, `IRouteAction` (`ts/proxies/smart-proxy/models/route-types.ts`)
+- `IRoutedSmartProxyOptions` (`ts/proxies/smart-proxy/models/route-types.ts`)
+- `INetworkProxyOptions` (`ts/proxies/network-proxy/models/types.ts`)
+- `IAcmeOptions`, `IDomainOptions` (`ts/certificate/models/certificate-types.ts`)
+- `INfTableProxySettings` (`ts/proxies/nftables-proxy/models/interfaces.ts`)
 ## Installation
 Install via npm:
@@ -86,181 +105,559 @@ Install via npm:
 npm install @push.rocks/smartproxy
 ```
-## Quick Start
+## Quick Start with SmartProxy v14.0.0
+SmartProxy v14.0.0 introduces a new unified route-based configuration system that makes configuring proxies more flexible and intuitive.
-### 1. HTTP(S) Reverse Proxy (NetworkProxy)
 ```typescript
-import { NetworkProxy } from '@push.rocks/smartproxy';
+import {
+  SmartProxy,
+  createHttpRoute,
+  createHttpsRoute,
+  createPassthroughRoute,
+  createHttpToHttpsRedirect
+} from '@push.rocks/smartproxy';
+// Create a new SmartProxy instance with route-based configuration
+const proxy = new SmartProxy({
+  // Define all your routing rules in one array
+  routes: [
+    // Basic HTTP route - forward traffic from port 80 to internal service
+    createHttpRoute({
+      ports: 80,
+      domains: 'api.example.com',
+      target: { host: 'localhost', port: 3000 }
+    }),
+    // HTTPS route with TLS termination and automatic certificates
+    createHttpsRoute({
+      ports: 443,
+      domains: 'secure.example.com',
+      target: { host: 'localhost', port: 8080 },
+      certificate: 'auto'  // Use Let's Encrypt
+    }),
+    // HTTPS passthrough for legacy systems
+    createPassthroughRoute({
+      ports: 443,
+      domains: 'legacy.example.com',
+      target: { host: '192.168.1.10', port: 443 }
+    }),
+    // Redirect HTTP to HTTPS
+    createHttpToHttpsRedirect({
+      domains: ['example.com', '*.example.com']
+    }),
+    // Complex load balancer setup with security controls
+    createLoadBalancerRoute({
+      domains: ['app.example.com'],
+      targets: ['192.168.1.10', '192.168.1.11', '192.168.1.12'],
+      targetPort: 8080,
+      tlsMode: 'terminate',
+      certificate: 'auto',
+      security: {
+        allowedIps: ['10.0.0.*', '192.168.1.*'],
+        blockedIps: ['1.2.3.4'],
+        maxConnections: 1000
+      }
+    })
+  ],
-const proxy = new NetworkProxy({ port: 443 });
-await proxy.start();
+  // Global settings that apply to all routes
+  defaults: {
+    security: {
+      maxConnections: 500
+    }
+  },
-await proxy.updateProxyConfigs([
-  {
-    hostName: 'example.com',
-    destinationIps: ['127.0.0.1'],
-    destinationPorts: [3000],
-    publicKey: fs.readFileSync('cert.pem', 'utf8'),
-    privateKey: fs.readFileSync('key.pem', 'utf8'),
+  // Automatic Let's Encrypt integration
+  acme: {
+    enabled: true,
+    contactEmail: 'admin@example.com',
+    useProduction: true
   }
-]);
+});
-// Add default headers to all responses
-await proxy.addDefaultHeaders({
-  'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
+// Listen for certificate events
+proxy.on('certificate', evt => {
+  console.log(`Certificate for ${evt.domain} ready, expires: ${evt.expiryDate}`);
 });
-// ...
+// Start the proxy
+await proxy.start();
+// Dynamically add new routes later
+await proxy.addRoutes([
+  createHttpsRoute({
+    domains: 'new-domain.com',
+    target: { host: 'localhost', port: 9000 },
+    certificate: 'auto'
+  })
+]);
+// Later, gracefully shut down
 await proxy.stop();
 ```
-### 2. HTTP→HTTPS Redirect (Redirect / SslRedirect)
+## Route-Based Configuration System
+SmartProxy v14.0.0 introduces a new unified route configuration system based on the `IRouteConfig` interface. This system follows a match/action pattern that makes routing more powerful, flexible, and declarative.
+### IRouteConfig Interface
+The `IRouteConfig` interface is the core building block of SmartProxy's configuration system. Each route definition consists of match criteria and an action to perform on matched traffic:
 ```typescript
-import { Redirect, SslRedirect } from '@push.rocks/smartproxy';
-import * as fs from 'fs';
+interface IRouteConfig {
+  // What traffic to match (required)
+  match: IRouteMatch;
+  // What to do with matched traffic (required)
+  action: IRouteAction;
+  // Metadata (all optional)
+  name?: string;             // Human-readable name for this route
+  description?: string;      // Description of the route's purpose
+  priority?: number;         // Controls matching order (higher = matched first)
+  tags?: string[];           // Arbitrary tags for categorization
+}
+```
+#### Match Criteria (IRouteMatch)
+The `match` property defines criteria for identifying which incoming traffic should be handled by this route:
+```typescript
+interface IRouteMatch {
+  // Listen on these ports (required)
+  ports: TPortRange;  // number | number[] | Array<{ from: number; to: number }>
+  // Optional domain patterns to match (default: all domains)
+  domains?: string | string[];  // Supports wildcards like '*.example.com'
+  // Advanced matching criteria (all optional)
+  path?: string;           // Match specific URL paths, supports glob patterns
+  clientIp?: string[];     // Match specific client IPs, supports glob patterns
+  tlsVersion?: string[];   // Match specific TLS versions e.g. ['TLSv1.2', 'TLSv1.3']
+}
+```
+**Port Specification:**
+- **Single port:** `ports: 80`
+- **Multiple ports:** `ports: [80, 443]`
+- **Port ranges:** `ports: [{ from: 8000, to: 8100 }]`
+- **Mixed format:** `ports: [80, 443, { from: 8000, to: 8100 }]`
+**Domain Matching:**
+- **Single domain:** `domains: 'example.com'`
+- **Multiple domains:** `domains: ['example.com', 'api.example.com']`
+- **Wildcard domains:** `domains: '*.example.com'` (matches any subdomain)
+- **Root domain + subdomains:** `domains: ['example.com', '*.example.com']`
+**Path Matching:**
+- **Exact path:** `path: '/api'` (matches only /api exactly)
+- **Prefix match:** `path: '/api/*'` (matches /api and any paths under it)
+- **Multiple patterns:** Use multiple routes with different priorities
+**Client IP Matching:**
+- **Exact IP:** `clientIp: ['192.168.1.1']`
+- **Subnet wildcards:** `clientIp: ['10.0.0.*', '192.168.1.*']`
+- **CIDR notation:** `clientIp: ['10.0.0.0/24']`
+**TLS Version Matching:**
+- `tlsVersion: ['TLSv1.2', 'TLSv1.3']` (only match these TLS versions)
+#### Action Configuration (IRouteAction)
+The `action` property defines what to do with traffic that matches the criteria:
+```typescript
+interface IRouteAction {
+  // Action type (required)
+  type: 'forward' | 'redirect' | 'block';
+  // For 'forward' actions
+  target?: IRouteTarget;
+  // TLS handling for 'forward' actions
+  tls?: IRouteTls;
+  // For 'redirect' actions
+  redirect?: IRouteRedirect;
+  // Security options for any action
+  security?: IRouteSecurity;
+  // Advanced options
+  advanced?: IRouteAdvanced;
+}
+```
+**Forward Action:**
+When `type: 'forward'`, the traffic is forwarded to the specified target:
+```typescript
+interface IRouteTarget {
+  host: string | string[];  // Target host(s) - string array enables round-robin
+  port: number;             // Target port
+  preservePort?: boolean;   // Use incoming port as target port (default: false)
+}
+```
+**TLS Configuration:**
+When forwarding with TLS, you can configure how TLS is handled:
+```typescript
+interface IRouteTls {
+  mode: 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
+  certificate?: 'auto' | {   // 'auto' = use ACME (Let's Encrypt)
+    key: string;            // TLS private key content
+    cert: string;           // TLS certificate content
+  };
+}
+```
+**TLS Modes:**
+- **passthrough:** Forward raw encrypted TLS traffic without decryption
+- **terminate:** Terminate TLS and forward as HTTP
+- **terminate-and-reencrypt:** Terminate TLS and create a new TLS connection to the backend
+**Redirect Action:**
+When `type: 'redirect'`, the client is redirected:
+```typescript
+interface IRouteRedirect {
+  to: string;                   // URL or template with variables
+  status: 301 | 302 | 307 | 308;  // HTTP status code
+}
+```
+**Block Action:**
+When `type: 'block'`, the connection is immediately closed.
+**Security Options:**
+For any action type, you can add security controls:
+```typescript
+interface IRouteSecurity {
+  allowedIps?: string[];     // IP allowlist with glob pattern support
+  blockedIps?: string[];     // IP blocklist with glob pattern support
+  maxConnections?: number;   // Maximum concurrent connections
+  authentication?: {         // Optional authentication (future support)
+    type: 'basic' | 'digest' | 'oauth';
+    // Auth-specific options
+  };
+}
+```
+**Advanced Options:**
+Additional advanced configurations:
+```typescript
+interface IRouteAdvanced {
+  timeout?: number;                 // Connection timeout in milliseconds
+  headers?: Record<string, string>; // Custom HTTP headers
+  keepAlive?: boolean;              // Enable connection pooling
+  // Additional advanced options
+}
+```
+#### Template Variables
+String values in redirect URLs and headers can include variables:
+- `{domain}`: The requested domain name
+- `{port}`: The incoming port number
+- `{path}`: The requested URL path
+- `{query}`: The query string
+- `{clientIp}`: The client's IP address
+- `{sni}`: The SNI hostname
+Example with template variables:
+```typescript
+redirect: {
+  to: 'https://{domain}{path}?source=redirect',
+  status: 301
+}
+```
+#### Route Metadata and Prioritization
+You can add metadata to routes to help with organization and control matching priority:
+```typescript
+{
+  name: 'API Server',                 // Human-readable name
+  description: 'Main API endpoints',  // Description
+  priority: 100,                      // Matching priority (higher = matched first)
+  tags: ['api', 'internal']           // Arbitrary tags
+}
+```
+Routes with higher priority values are matched first, allowing you to create specialized routes that take precedence over more general ones.
-// Custom redirect rules
-const redirect = new Redirect({
-  httpPort: 80,
-  httpsPort: 443,
-  sslOptions: {
-    key: fs.readFileSync('key.pem'),
-    cert: fs.readFileSync('cert.pem'),
+#### Complete Route Configuration Example
+```typescript
+// Example of a complete route configuration
+{
+  match: {
+    ports: 443,
+    domains: ['api.example.com', 'api-v2.example.com'],
+    path: '/secure/*',
+    clientIp: ['10.0.0.*', '192.168.1.*']
   },
-  rules: [
-    {
-      fromProtocol: 'http',
-      fromHost: '*',
-      toProtocol: 'https',
-      toHost: '$1',
-      statusCode: 301
+  action: {
+    type: 'forward',
+    target: {
+      host: ['10.0.0.1', '10.0.0.2'],  // Round-robin between these hosts
+      port: 8080
+    },
+    tls: {
+      mode: 'terminate',
+      certificate: 'auto'  // Use Let's Encrypt
+    },
+    security: {
+      allowedIps: ['10.0.0.*'],
+      maxConnections: 100
+    },
+    advanced: {
+      timeout: 30000,
+      headers: {
+        'X-Original-Host': '{domain}',
+        'X-Client-IP': '{clientIp}'
+      },
+      keepAlive: true
     }
-  ]
+  },
+  name: 'Secure API Route',
+  description: 'Route for secure API endpoints with authentication',
+  priority: 100,
+  tags: ['api', 'secure', 'internal']
+}
+```
+### Using Helper Functions
+While you can create route configurations manually, SmartProxy provides helper functions to make it easier:
+```typescript
+// Instead of building the full object:
+const route = {
+  match: { ports: 80, domains: 'example.com' },
+  action: { type: 'forward', target: { host: 'localhost', port: 8080 } },
+  name: 'Web Server'
+};
+// Use the helper function:
+const route = createHttpRoute({
+  domains: 'example.com',
+  target: { host: 'localhost', port: 8080 },
+  name: 'Web Server'
 });
-await redirect.start();
+```
-// Quick HTTP→HTTPS helper on port 80
-const quick = new SslRedirect(80);
-await quick.start();
+Available helper functions:
+- `createRoute()` - Basic function to create any route configuration
+- `createHttpRoute()` - Create an HTTP forwarding route
+- `createHttpsRoute()` - Create an HTTPS route with TLS termination
+- `createPassthroughRoute()` - Create an HTTPS passthrough route
+- `createRedirectRoute()` - Create a generic redirect route
+- `createHttpToHttpsRedirect()` - Create an HTTP to HTTPS redirect
+- `createBlockRoute()` - Create a route to block specific traffic
+- `createLoadBalancerRoute()` - Create a route for load balancing
+- `createHttpsServer()` - Create a complete HTTPS server setup with HTTP redirect
+## What You Can Do with SmartProxy
+1. **Route-Based Traffic Management**
+   ```typescript
+   // Route requests for different domains to different backend servers
+   createHttpsRoute({
+     domains: 'api.example.com',
+     target: { host: 'api-server', port: 3000 },
+     certificate: 'auto'
+   })
+   ```
+2. **Automatic SSL with Let's Encrypt**
+   ```typescript
+   // Get and automatically renew certificates
+   createHttpsRoute({
+     domains: 'secure.example.com',
+     target: { host: 'localhost', port: 8080 },
+     certificate: 'auto'
+   })
+   ```
+3. **Load Balancing**
+   ```typescript
+   // Distribute traffic across multiple backend servers
+   createLoadBalancerRoute({
+     domains: 'app.example.com',
+     targets: ['10.0.0.1', '10.0.0.2', '10.0.0.3'],
+     targetPort: 8080,
+     tlsMode: 'terminate',
+     certificate: 'auto'
+   })
+   ```
+4. **Security Controls**
+   ```typescript
+   // Restrict access based on IP addresses
+   createHttpsRoute({
+     domains: 'admin.example.com',
+     target: { host: 'localhost', port: 8080 },
+     certificate: 'auto',
+     security: {
+       allowedIps: ['10.0.0.*', '192.168.1.*'],
+       maxConnections: 100
+     }
+   })
+   ```
+5. **Wildcard Domains**
+   ```typescript
+   // Handle all subdomains with one config
+   createPassthroughRoute({
+     domains: ['example.com', '*.example.com'],
+     target: { host: 'backend-server', port: 443 }
+   })
+   ```
+6. **Path-Based Routing**
+   ```typescript
+   // Route based on URL path
+   createHttpsRoute({
+     domains: 'example.com',
+     path: '/api/*',
+     target: { host: 'api-server', port: 3000 },
+     certificate: 'auto'
+   })
+   ```
+7. **Block Malicious Traffic**
+   ```typescript
+   // Block traffic from specific IPs
+   createBlockRoute({
+     ports: [80, 443],
+     clientIp: ['1.2.3.*', '5.6.7.*'],
+     priority: 1000  // High priority to ensure blocking
+   })
+   ```
+## Other Components
+While SmartProxy provides a unified API for most needs, you can also use individual components:
+### NetworkProxy
+For HTTP/HTTPS reverse proxy with TLS termination and WebSocket support:
+```typescript
+import { NetworkProxy } from '@push.rocks/smartproxy';
+import * as fs from 'fs';
+const proxy = new NetworkProxy({ port: 443 });
+await proxy.start();
+await proxy.updateProxyConfigs([
+  {
+    hostName: 'example.com',
+    destinationIps: ['127.0.0.1'],
+    destinationPorts: [3000],
+    publicKey: fs.readFileSync('cert.pem', 'utf8'),
+    privateKey: fs.readFileSync('key.pem', 'utf8'),
+  }
+]);
 ```
-### 3. Automatic Certificates (ACME Port80Handler)
+### Port80Handler
+For standalone ACME certificate management:
 ```typescript
 import { Port80Handler } from '@push.rocks/smartproxy';
-// Configure ACME on port 80 with contact email
 const acme = new Port80Handler({
   port: 80,
   contactEmail: 'admin@example.com',
-  useProduction: true,
-  renewThresholdDays: 30
-});
-acme.on('certificate-issued', evt => {
-  console.log(`Certificate ready for ${evt.domain}, expires ${evt.expiryDate}`);
+  useProduction: true
 });
+acme.on('certificate-issued', evt => console.log(`Certificate ready: ${evt.domain}`));
 await acme.start();
-acme.addDomain({
-  domainName: 'example.com',
-  sslRedirect: true,
-  acmeMaintenance: true
-});
 ```
-### 4. Low-Level Port Forwarding (NfTablesProxy)
+### NfTablesProxy
+For low-level port forwarding using nftables:
 ```typescript
 import { NfTablesProxy } from '@push.rocks/smartproxy';
-// Forward port 80→8080 with source IP preservation
 const nft = new NfTablesProxy({
   fromPort: 80,
   toPort: 8080,
   toHost: 'localhost',
-  preserveSourceIP: true,
-  deleteOnExit: true
+  preserveSourceIP: true
 });
 await nft.start();
-// ...
-await nft.stop();
 ```
-### 5. TCP/SNI Proxy (SmartProxy)
+### Redirect / SslRedirect
+For HTTP-to-HTTPS redirects:
 ```typescript
-import { SmartProxy } from '@push.rocks/smartproxy';
-import { createDomainConfig, httpOnly, tlsTerminateToHttp, httpsPassthrough } from '@push.rocks/smartproxy';
+import { SslRedirect } from '@push.rocks/smartproxy';
-const smart = new SmartProxy({
-  fromPort: 443,
-  toPort: 8443,
-  domainConfigs: [
-    // HTTPS passthrough example
-    createDomainConfig(['example.com', '*.example.com'],
-      httpsPassthrough({
-        target: {
-          host: '127.0.0.1',
-          port: 443
-        },
-        security: {
-          allowedIps: ['*']
-        }
-      })
-    ),
-    // HTTPS termination example
-    createDomainConfig('secure.example.com',
-      tlsTerminateToHttp({
-        target: {
-          host: 'localhost',
-          port: 3000
-        },
-        acme: {
-          enabled: true,
-          production: true
-        }
-      })
-    )
-  ],
-  sniEnabled: true
-});
-smart.on('certificate', evt => console.log(evt));
-await smart.start();
-// Update domains later
-await smart.updateDomainConfigs([/* new configs */]);
+// Quick HTTP→HTTPS helper on port 80
+const redirect = new SslRedirect(80);
+await redirect.start();
 ```
-### 6. SNI Utilities (SniHandler)
-```js
-import { SniHandler } from '@push.rocks/smartproxy';
+## Migration from v13.x to v14.0.0
-// Extract SNI from a TLS ClientHello buffer
-const sni = SniHandler.extractSNI(buffer);
+Version 14.0.0 introduces a breaking change with the new route-based configuration system:
-// Reassemble fragmented ClientHello
-const complete = SniHandler.handleFragmentedClientHello(buf, connId);
-```
+### Key Changes
-### 7. Core Utilities (ValidationUtils, IpUtils)
-```typescript
-import { ValidationUtils, IpUtils } from '@push.rocks/smartproxy';
+1. **Configuration Structure**: The configuration now uses the match/action pattern instead of the old domain-based and port-based approach
+2. **SmartProxy Options**: Now takes an array of route configurations instead of `domainConfigs` and port ranges
+3. **Helper Functions**: New helper functions have been introduced to simplify configuration
-// Validate a domain name
-const isValidDomain = ValidationUtils.isValidDomainName('example.com');
+### Migration Example
-// Check if an IP is allowed based on filters
-const isAllowed = IpUtils.isIPAuthorized(
-  '192.168.1.1',
-  ['192.168.1.*'], // allowed IPs
-  ['192.168.1.100'] // blocked IPs
-);
+**v13.x Configuration**:
+```typescript
+import { SmartProxy, createDomainConfig, httpOnly, tlsTerminateToHttp } from '@push.rocks/smartproxy';
-// Convert CIDR to glob patterns
-const globPatterns = IpUtils.cidrToGlobPatterns('10.0.0.0/24');
+const proxy = new SmartProxy({
+  fromPort: 443,
+  domainConfigs: [
+    createDomainConfig('example.com', tlsTerminateToHttp({
+      target: { host: 'localhost', port: 8080 },
+      acme: { enabled: true, production: true }
+    }))
+  ],
+  sniEnabled: true
+});
 ```
-## API Reference
-For full configuration options and type definitions, see the TypeScript interfaces:
-- `INetworkProxyOptions` (`ts/proxies/network-proxy/models/types.ts`)
-- `IAcmeOptions`, `IDomainOptions` (`ts/certificate/models/certificate-types.ts`)
-- `IForwardConfig` (`ts/forwarding/config/forwarding-types.ts`)
-- `INfTableProxySettings` (`ts/proxies/nftables-proxy/models/interfaces.ts`)
-- `ISmartProxyOptions`, `IDomainConfig` (`ts/proxies/smart-proxy/models/interfaces.ts`)
+**v14.0.0 Configuration**:
+```typescript
+import { SmartProxy, createHttpsRoute } from '@push.rocks/smartproxy';
+const proxy = new SmartProxy({
+  routes: [
+    createHttpsRoute({
+      ports: 443,
+      domains: 'example.com',
+      target: { host: 'localhost', port: 8080 },
+      certificate: 'auto'
+    })
+  ]
+});
+```
+### Migration Steps
+1. Replace `domainConfigs` with an array of route configurations using `routes`
+2. Convert each domain configuration to use the new helper functions
+3. Update any code that uses `updateDomainConfigs()` to use `addRoutes()` or `updateRoutes()`
+4. For port-only configurations, create route configurations with port matching only
+5. For SNI-based routing, SNI is now automatically enabled when needed
 ## Architecture & Flow Diagrams
@@ -270,11 +667,10 @@ flowchart TB
     subgraph "SmartProxy Components"
         direction TB
-        HTTP80["HTTP Port 80<br>Redirect / SslRedirect"]
+        RouteConfig["Route Configuration<br>(Match/Action)"]
+        RouteManager["Route Manager"]
         HTTPS443["HTTPS Port 443<br>NetworkProxy"]
         SmartProxy["SmartProxy<br>(TCP/SNI Proxy)"]
-        NfTables[NfTablesProxy]
-        Router[ProxyRouter]
         ACME["Port80Handler<br>(ACME HTTP-01)"]
         Certs[(SSL Certificates)]
     end
@@ -285,188 +681,110 @@ flowchart TB
         Service3[Service 3]
     end
-    Client -->|HTTP Request| HTTP80
-    HTTP80 -->|Redirect| Client
-    Client -->|HTTPS Request| HTTPS443
-    Client -->|TLS/TCP| SmartProxy
+    Client -->|HTTP/HTTPS Request| SmartProxy
-    HTTPS443 -->|Route Request| Router
-    Router -->|Proxy Request| Service1
-    Router -->|Proxy Request| Service2
+    SmartProxy -->|Route Matching| RouteManager
+    RouteManager -->|Use| RouteConfig
+    RouteManager -->|Execute Action| SmartProxy
-    SmartProxy -->|Direct TCP| Service2
-    SmartProxy -->|Direct TCP| Service3
+    SmartProxy -->|Forward| Service1
+    SmartProxy -->|Redirect| Client
+    SmartProxy -->|Forward| Service2
+    SmartProxy -->|Forward| Service3
-    NfTables -.->|Low-level forwarding| SmartProxy
-    HTTP80 -.->|Challenge Response| ACME
     ACME -.->|Generate/Manage| Certs
-    Certs -.->|Provide TLS Certs| HTTPS443
+    Certs -.->|Provide TLS Certs| SmartProxy
     classDef component fill:#f9f,stroke:#333,stroke-width:2px;
     classDef backend fill:#bbf,stroke:#333,stroke-width:1px;
     classDef client fill:#dfd,stroke:#333,stroke-width:2px;
     class Client client;
-    class HTTP80,HTTPS443,SmartProxy,NfTables,Router,ACME component;
+    class RouteConfig,RouteManager,HTTPS443,SmartProxy,ACME component;
     class Service1,Service2,Service3 backend;
 ```
-### HTTPS Reverse Proxy Flow
-This diagram shows how HTTPS requests are handled and proxied to backend services:
+### Route-Based Connection Handling
+This diagram illustrates how requests are matched and processed using the route-based configuration:
 ```mermaid
 sequenceDiagram
     participant Client
-    participant NetworkProxy
-    participant ProxyRouter
+    participant SmartProxy
+    participant RouteManager
     participant Backend
-    Client->>NetworkProxy: HTTPS Request
-    Note over NetworkProxy: TLS Termination
-    NetworkProxy->>ProxyRouter: Route Request
-    ProxyRouter->>ProxyRouter: Match hostname to config
-    alt Authentication Required
-        NetworkProxy->>Client: Request Authentication
-        Client->>NetworkProxy: Send Credentials
-        NetworkProxy->>NetworkProxy: Validate Credentials
-    end
-    NetworkProxy->>Backend: Forward Request
-    Backend->>NetworkProxy: Response
-    Note over NetworkProxy: Add Default Headers
+    Client->>SmartProxy: Connection (TCP/HTTP/HTTPS)
-    NetworkProxy->>Client: Forward Response
+    SmartProxy->>RouteManager: Match connection against routes
-    alt WebSocket Request
-        Client->>NetworkProxy: Upgrade to WebSocket
-        NetworkProxy->>Backend: Upgrade to WebSocket
-        loop WebSocket Active
-            Client->>NetworkProxy: WebSocket Message
-            NetworkProxy->>Backend: Forward Message
-            Backend->>NetworkProxy: WebSocket Message
-            NetworkProxy->>Client: Forward Message
-            NetworkProxy-->>NetworkProxy: Heartbeat Check
-        end
-    end
-```
-### SNI-based Connection Handling
-This diagram illustrates how TCP connections with SNI (Server Name Indication) are processed and forwarded:
-```mermaid
-sequenceDiagram
-    participant Client
-    participant SmartProxy
-    participant Backend
+    RouteManager->>RouteManager: Check port match
+    RouteManager->>RouteManager: Check domain match (if SNI)
+    RouteManager->>RouteManager: Check path match (if HTTP)
+    RouteManager->>RouteManager: Check client IP match
+    RouteManager->>RouteManager: Check TLS version match
-    Client->>SmartProxy: TLS Connection
+    RouteManager->>RouteManager: Determine highest priority matching route
-    alt SNI Enabled
-        SmartProxy->>Client: Accept Connection
-        Client->>SmartProxy: TLS ClientHello with SNI
-        SmartProxy->>SmartProxy: Extract SNI Hostname
-        SmartProxy->>SmartProxy: Match Domain Config
-        SmartProxy->>SmartProxy: Validate Client IP
+    alt Forward Action
+        RouteManager->>SmartProxy: Use forward action
-        alt IP Allowed
-            SmartProxy->>Backend: Forward Connection
-            Note over SmartProxy,Backend: Bidirectional Data Flow
-        else IP Rejected
-            SmartProxy->>Client: Close Connection
+        alt TLS Termination
+            SmartProxy->>SmartProxy: Terminate TLS
+            SmartProxy->>Backend: Forward as HTTP/HTTPS
+        else TLS Passthrough
+            SmartProxy->>Backend: Forward raw TCP
         end
-    else Port-based Routing
-        SmartProxy->>SmartProxy: Match Port Range
-        SmartProxy->>SmartProxy: Find Domain Config
-        SmartProxy->>SmartProxy: Validate Client IP
-        alt IP Allowed
-            SmartProxy->>Backend: Forward Connection
-            Note over SmartProxy,Backend: Bidirectional Data Flow
-        else IP Rejected
-            SmartProxy->>Client: Close Connection
-        end
+    else Redirect Action
+        RouteManager->>SmartProxy: Use redirect action
+        SmartProxy->>Client: Send redirect response
+    else Block Action
+        RouteManager->>SmartProxy: Use block action
+        SmartProxy->>Client: Close connection
     end
     loop Connection Active
         SmartProxy-->>SmartProxy: Monitor Activity
-        SmartProxy-->>SmartProxy: Check Max Lifetime
-        alt Inactivity or Max Lifetime Exceeded
+        SmartProxy-->>SmartProxy: Check Security Rules
+        alt Security Violation or Timeout
             SmartProxy->>Client: Close Connection
             SmartProxy->>Backend: Close Connection
         end
     end
 ```
-### Let's Encrypt Certificate Acquisition
-This diagram shows how certificates are automatically acquired through the ACME protocol:
-```mermaid
-sequenceDiagram
-    participant Client
-    participant Port80Handler
-    participant ACME as Let's Encrypt ACME
-    participant NetworkProxy
-    Client->>Port80Handler: HTTP Request for domain
-    alt Certificate Exists
-        Port80Handler->>Client: Redirect to HTTPS
-    else No Certificate
-        Port80Handler->>Port80Handler: Mark domain as obtaining cert
-        Port80Handler->>ACME: Create account & new order
-        ACME->>Port80Handler: Challenge information
-        Port80Handler->>Port80Handler: Store challenge token & key authorization
-        ACME->>Port80Handler: HTTP-01 Challenge Request
-        Port80Handler->>ACME: Challenge Response
-        ACME->>ACME: Validate domain ownership
-        ACME->>Port80Handler: Challenge validated
-        Port80Handler->>Port80Handler: Generate CSR
-        Port80Handler->>ACME: Submit CSR
-        ACME->>Port80Handler: Issue Certificate
-        Port80Handler->>Port80Handler: Store certificate & private key
-        Port80Handler->>Port80Handler: Mark certificate as obtained
-        Note over Port80Handler,NetworkProxy: Certificate available for use
-        Client->>Port80Handler: Another HTTP Request
-        Port80Handler->>Client: Redirect to HTTPS
-        Client->>NetworkProxy: HTTPS Request
-        Note over NetworkProxy: Uses new certificate
-    end
-```
 ## Features
-- HTTP/HTTPS Reverse Proxy (NetworkProxy)
-  • TLS termination, virtual-host routing, HTTP/2 & WebSocket support, pooling & metrics
+- **Route-Based Traffic Management**
+  • Match/action pattern for flexible routing
+  • Port, domain, path, client IP, and TLS version matching
+  • Multiple action types (forward, redirect, block)
-- Automatic ACME Certificates (Port80Handler)
-  • HTTP-01 challenge handling, certificate issuance/renewal, pluggable storage
+- **TLS Handling Options**
+  • TLS passthrough for end-to-end encryption
+  • TLS termination for content inspection
+  • TLS termination with re-encryption for gateway scenarios
-- Low-Level Port Forwarding (NfTablesProxy)
-  • nftables NAT rules for ports/ranges, IPv4/IPv6, IP filtering, QoS & ipset support
+- **Automatic ACME Certificates**
+  • HTTP-01 challenge handling
+  • Certificate issuance/renewal
+  • Pluggable storage
-- Custom Redirects (Redirect / SslRedirect)
-  • URL redirects with wildcard host/path, template variables & status codes
+- **Security Controls**
+  • IP allow/block lists with glob pattern support
+  • Connection limits and rate limiting
+  • Timeout controls and connection monitoring
-- TCP/SNI Proxy (SmartProxy)
-  • SNI-based routing, IP allow/block lists, port ranges, timeouts & graceful shutdown
+- **Load Balancing**
+  • Round-robin distribution across multiple backends
+  • Health checks and failure handling
-- SNI Utilities (SniHandler)
-  • Robust ClientHello parsing, fragmentation & session resumption support
-- Core Utilities
-  • ValidationUtils and IpUtils for configuration validation and IP management
+- **Advanced Features**
+  • Custom header manipulation
+  • Template variables for dynamic values
+  • Priority-based route matching
 ## Certificate Hooks & Events
@@ -479,128 +797,265 @@ Listen for certificate events via EventEmitter:
 Provide a `certProvisionFunction(domain)` in SmartProxy settings to supply static certs or return `'http01'`.
-## Unified Forwarding System
+## SmartProxy: Common Use Cases
+The SmartProxy component with route-based configuration offers a clean, unified approach to handle virtually any proxy scenario.
-The SmartProxy Unified Forwarding System provides a clean, use-case driven approach to configuring different types of traffic forwarding. It replaces disparate configuration mechanisms with a unified interface.
+### 1. API Gateway / Backend Routing
-### Forwarding Types
+Create a flexible API gateway to route traffic to different microservices based on domain and path:
-The system supports four primary forwarding types:
+```typescript
+import { SmartProxy, createHttpsRoute } from '@push.rocks/smartproxy';
+const apiGateway = new SmartProxy({
+  routes: [
+    // Users API
+    createHttpsRoute({
+      ports: 443,
+      domains: 'api.example.com',
+      path: '/users/*',
+      target: { host: 'users-service', port: 3000 },
+      certificate: 'auto'
+    }),
+    // Products API
+    createHttpsRoute({
+      ports: 443,
+      domains: 'api.example.com',
+      path: '/products/*',
+      target: { host: 'products-service', port: 3001 },
+      certificate: 'auto'
+    }),
+    // Admin dashboard with extra security
+    createHttpsRoute({
+      ports: 443,
+      domains: 'admin.example.com',
+      target: { host: 'admin-dashboard', port: 8080 },
+      certificate: 'auto',
+      security: {
+        allowedIps: ['10.0.0.*', '192.168.1.*'] // Only allow internal network
+      }
+    })
+  ]
+});
-1. **HTTP-only (`http-only`)**: Forwards HTTP traffic to a backend server.
-2. **HTTPS Passthrough (`https-passthrough`)**: Passes through raw TLS traffic without termination (SNI forwarding).
-3. **HTTPS Termination to HTTP (`https-terminate-to-http`)**: Terminates TLS and forwards the decrypted traffic to an HTTP backend.
-4. **HTTPS Termination to HTTPS (`https-terminate-to-https`)**: Terminates TLS and creates a new TLS connection to an HTTPS backend.
+await apiGateway.start();
+```
-### Basic Configuration
+### 2. Complete HTTPS Server with HTTP Redirect
-Each domain is configured with a forwarding type and target:
+Easily set up a secure HTTPS server with automatic redirection from HTTP:
 ```typescript
-{
-  domains: ['example.com'],
-  forwarding: {
-    type: 'http-only',
-    target: {
-      host: 'localhost',
-      port: 3000
-    }
-  }
-}
+import { SmartProxy, createHttpsServer } from '@push.rocks/smartproxy';
+const webServer = new SmartProxy({
+  routes: [
+    // createHttpsServer creates both the HTTPS route and HTTP redirect
+    ...createHttpsServer({
+      domains: 'example.com',
+      target: { host: 'localhost', port: 8080 },
+      certificate: 'auto',
+      addHttpRedirect: true
+    })
+  ]
+});
+await webServer.start();
 ```
-### Helper Functions
+### 3. Multi-Tenant Application with Wildcard Domains
-Helper functions are provided for common configurations:
+Support dynamically created tenants with wildcard domain matching:
 ```typescript
-import { createDomainConfig, httpOnly, tlsTerminateToHttp,
-         tlsTerminateToHttps, httpsPassthrough } from '@push.rocks/smartproxy';
-// HTTP-only
-await domainManager.addDomainConfig(
-  createDomainConfig('example.com', httpOnly({
-    target: { host: 'localhost', port: 3000 }
-  }))
-);
-// HTTPS termination to HTTP
-await domainManager.addDomainConfig(
-  createDomainConfig('secure.example.com', tlsTerminateToHttp({
-    target: { host: 'localhost', port: 3000 },
-    acme: { production: true }
-  }))
-);
-// HTTPS termination to HTTPS
-await domainManager.addDomainConfig(
-  createDomainConfig('api.example.com', tlsTerminateToHttps({
-    target: { host: 'internal-api', port: 8443 },
-    http: { redirectToHttps: true }
-  }))
-);
-// HTTPS passthrough (SNI)
-await domainManager.addDomainConfig(
-  createDomainConfig('passthrough.example.com', httpsPassthrough({
-    target: { host: '10.0.0.5', port: 443 }
-  }))
-);
+import { SmartProxy, createHttpsRoute, createHttpToHttpsRedirect } from '@push.rocks/smartproxy';
+const multiTenantApp = new SmartProxy({
+  routes: [
+    // Handle all tenant subdomains with one route
+    createHttpsRoute({
+      ports: 443,
+      domains: '*.example.com',
+      target: { host: 'tenant-router', port: 8080 },
+      certificate: 'auto',
+      // Pass original hostname to backend for tenant identification
+      advanced: {
+        headers: {
+          'X-Original-Host': '{sni}'
+        }
+      }
+    }),
+    // Redirect HTTP to HTTPS for all subdomains
+    createHttpToHttpsRedirect({
+      domains: ['*.example.com']
+    })
+  ]
+});
+await multiTenantApp.start();
 ```
-### Advanced Configuration
+### 4. Complex Multi-Service Infrastructure
-For more complex scenarios, additional options can be specified:
+Create a comprehensive proxy solution with multiple services and security controls:
 ```typescript
-{
-  domains: ['api.example.com'],
-  forwarding: {
-    type: 'https-terminate-to-https',
-    target: {
-      host: ['10.0.0.10', '10.0.0.11'], // Round-robin load balancing
-      port: 8443
-    },
-    http: {
-      enabled: true,
-      redirectToHttps: true
-    },
-    https: {
-      // Custom certificate instead of ACME-provisioned
-      customCert: {
-        key: '-----BEGIN PRIVATE KEY-----\n...',
-        cert: '-----BEGIN CERTIFICATE-----\n...'
+import {
+  SmartProxy,
+  createHttpsRoute,
+  createPassthroughRoute,
+  createBlockRoute,
+  createHttpToHttpsRedirect
+} from '@push.rocks/smartproxy';
+const enterpriseProxy = new SmartProxy({
+  routes: [
+    // Web application with automatic HTTPS
+    createHttpsRoute({
+      ports: 443,
+      domains: 'app.example.com',
+      target: { host: 'web-app', port: 8080 },
+      certificate: 'auto'
+    }),
+    // Legacy system that needs HTTPS passthrough
+    createPassthroughRoute({
+      ports: 443,
+      domains: 'legacy.example.com',
+      target: { host: 'legacy-server', port: 443 }
+    }),
+    // Internal APIs with IP restrictions
+    createHttpsRoute({
+      ports: 443,
+      domains: 'api.internal.example.com',
+      target: { host: 'api-gateway', port: 3000 },
+      certificate: 'auto',
+      security: {
+        allowedIps: ['10.0.0.0/16', '192.168.0.0/16'],
+        maxConnections: 500
       }
-    },
+    }),
+    // Block known malicious IPs
+    createBlockRoute({
+      ports: [80, 443],
+      clientIp: ['1.2.3.*', '5.6.7.*'],
+      priority: 1000
+    }),
+    // Redirect all HTTP to HTTPS
+    createHttpToHttpsRedirect({
+      domains: ['*.example.com', 'example.com']
+    })
+  ],
+  // Global settings that apply to all routes
+  defaults: {
     security: {
-      allowedIps: ['10.0.0.*', '192.168.1.*'],
-      blockedIps: ['1.2.3.4'],
-      maxConnections: 100
-    },
-    advanced: {
-      timeout: 30000,
-      headers: {
-        'X-Forwarded-For': '{clientIp}',
-        'X-Original-Host': '{sni}'
-      }
+      maxConnections: 1000
     }
+  },
+  // Enable connection timeouts for security
+  inactivityTimeout: 30000,
+  // Using global certificate management
+  acme: {
+    enabled: true,
+    contactEmail: 'admin@example.com',
+    useProduction: true,
+    renewThresholdDays: 30
   }
-}
+});
+await enterpriseProxy.start();
 ```
-### Extended Configuration Options
+## Route-Based Configuration Details
+### Match Criteria Options
+- **ports**: `number | number[] | Array<{ from: number; to: number }>` (required)
+  Listen on specific ports or port ranges
+- **domains**: `string | string[]` (optional)
+  Match specific domain names, supports wildcards (e.g., `*.example.com`)
+- **path**: `string` (optional)
+  Match specific URL paths, supports glob patterns
+- **clientIp**: `string[]` (optional)
+  Match client IP addresses, supports glob patterns
+- **tlsVersion**: `string[]` (optional)
+  Match specific TLS versions (e.g., `TLSv1.2`, `TLSv1.3`)
+### Action Types
+1. **Forward**:
+   ```typescript
+   {
+     type: 'forward',
+     target: { host: 'localhost', port: 8080 },
+     tls: { mode: 'terminate', certificate: 'auto' }
+   }
+   ```
+2. **Redirect**:
+   ```typescript
+   {
+     type: 'redirect',
+     redirect: { to: 'https://{domain}{path}', status: 301 }
+   }
+   ```
-#### IForwardConfig
-- `type`: 'http-only' | 'https-passthrough' | 'https-terminate-to-http' | 'https-terminate-to-https'
-- `target`: { host: string | string[], port: number }
-- `http?`: { enabled?: boolean, redirectToHttps?: boolean, headers?: Record<string, string> }
-- `https?`: { customCert?: { key: string, cert: string }, forwardSni?: boolean }
-- `acme?`: { enabled?: boolean, maintenance?: boolean, production?: boolean, forwardChallenges?: { host: string, port: number, useTls?: boolean } }
-- `security?`: { allowedIps?: string[], blockedIps?: string[], maxConnections?: number }
-- `advanced?`: { portRanges?: Array<{ from: number, to: number }>, networkProxyPort?: number, keepAlive?: boolean, timeout?: number, headers?: Record<string, string> }
+3. **Block**:
+   ```typescript
+   {
+     type: 'block'
+   }
+   ```
+### TLS Modes
+- **passthrough**: Forward raw TLS traffic without decryption
+- **terminate**: Terminate TLS and forward as HTTP
+- **terminate-and-reencrypt**: Terminate TLS and create a new TLS connection to the backend
+### Template Variables
+Template variables can be used in string values:
+- `{domain}`: The requested domain name
+- `{port}`: The incoming port number
+- `{path}`: The requested URL path
+- `{query}`: The query string
+- `{clientIp}`: The client's IP address
+- `{sni}`: The SNI hostname
+Example:
+```typescript
+createRedirectRoute({
+  domains: 'old.example.com',
+  redirectTo: 'https://new.example.com{path}?source=redirect'
+})
+```
 ## Configuration Options
+### SmartProxy (IRoutedSmartProxyOptions)
+- `routes` (IRouteConfig[], required) - Array of route configurations
+- `defaults` (object) - Default settings for all routes
+- `acme` (IAcmeOptions) - ACME certificate options
+- Connection timeouts: `initialDataTimeout`, `socketTimeout`, `inactivityTimeout`, etc.
+- Socket opts: `noDelay`, `keepAlive`, `enableKeepAliveProbes`
+- `certProvisionFunction` (callback) - Custom certificate provisioning
 ### NetworkProxy (INetworkProxyOptions)
 - `port` (number, required)
 - `backendProtocol` ('http1'|'http2', default 'http1')
@@ -633,25 +1088,22 @@ For more complex scenarios, additional options can be specified:
 - `useIPSets` (boolean, default true)
 - `qos`, `netProxyIntegration` (objects)
-### Redirect / SslRedirect
-- Constructor options: `httpPort`, `httpsPort`, `sslOptions`, `rules` (IRedirectRule[])
-### SmartProxy (ISmartProxyOptions)
-- `fromPort`, `toPort` (number)
-- `domainConfigs` (IDomainConfig[]) - Using unified forwarding configuration
-- `sniEnabled`, `preserveSourceIP` (booleans)
-- `defaultAllowedIPs`, `defaultBlockedIPs` (string[]) - Default IP allowlists/blocklists
-- Timeouts: `initialDataTimeout`, `socketTimeout`, `inactivityTimeout`, etc.
-- Socket opts: `noDelay`, `keepAlive`, `enableKeepAliveProbes`
-- `acme` (IAcmeOptions), `certProvisionFunction` (callback)
-- `useNetworkProxy` (number[]), `networkProxyPort` (number)
-- `globalPortRanges` (Array<{ from: number; to: number }>)
 ## Troubleshooting
+### SmartProxy
+- If routes aren't matching as expected, check their priorities
+- For domain matching issues, verify SNI extraction is working
+- Use higher priority for block routes to ensure they take precedence
+- Enable `enableDetailedLogging` or `enableTlsDebugLogging` for debugging
+### TLS/Certificates
+- For certificate issues, check the ACME settings and domain validation
+- Ensure domains are publicly accessible for Let's Encrypt validation
+- For TLS handshake issues, increase `initialDataTimeout` and `maxPendingDataSize`
 ### NetworkProxy
 - Verify ports, certificates and `rejectUnauthorized` for TLS errors
-- Configure CORS or use `addDefaultHeaders` for preflight issues
+- Configure CORS for preflight issues
 - Increase `maxConnections` or `connectionPoolSize` under load
 ### Port80Handler
@@ -662,18 +1114,6 @@ For more complex scenarios, additional options can be specified:
 - Ensure `nft` is installed and run with sufficient privileges
 - Use `forceCleanSlate:true` to clear conflicting rules
-### Redirect / SslRedirect
-- Check `fromHost`/`fromPath` patterns and Host headers
-- Validate `sslOptions` key/cert correctness
-### SmartProxy & SniHandler
-- Increase `initialDataTimeout`/`maxPendingDataSize` for large ClientHello
-- Enable `enableTlsDebugLogging` to trace handshake
-- Ensure `allowSessionTicket` and fragmentation support for resumption
-- Double-check forwarding configuration to ensure correct `type` for your use case
-- Use helper functions like `httpOnly()`, `httpsPassthrough()`, etc. to create correct configurations
-- For IP filtering issues, check the `security.allowedIps` and `security.blockedIps` settings
 ## License and Legal Information
 This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository.