npm - @push.rocks/smartproxy - Versions diffs - 13.1.3 → 15.0.0 - Mend

@push.rocks/smartproxy 13.1.3 → 15.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/dist_ts/00_commitinfo_data.js +3 -3
package/dist_ts/proxies/smart-proxy/index.d.ts +5 -3
package/dist_ts/proxies/smart-proxy/index.js +9 -5
package/dist_ts/proxies/smart-proxy/models/index.d.ts +2 -0
package/dist_ts/proxies/smart-proxy/models/index.js +2 -1
package/dist_ts/proxies/smart-proxy/models/interfaces.d.ts +82 -15
package/dist_ts/proxies/smart-proxy/models/interfaces.js +10 -1
package/dist_ts/proxies/smart-proxy/models/route-types.d.ts +133 -0
package/dist_ts/proxies/smart-proxy/models/route-types.js +2 -0
package/dist_ts/proxies/smart-proxy/route-connection-handler.d.ts +55 -0
package/dist_ts/proxies/smart-proxy/route-connection-handler.js +804 -0
package/dist_ts/proxies/smart-proxy/route-helpers.d.ts +127 -0
package/dist_ts/proxies/smart-proxy/route-helpers.js +196 -0
package/dist_ts/proxies/smart-proxy/route-manager.d.ts +103 -0
package/dist_ts/proxies/smart-proxy/route-manager.js +483 -0
package/dist_ts/proxies/smart-proxy/smart-proxy.d.ts +19 -8
package/dist_ts/proxies/smart-proxy/smart-proxy.js +239 -46
package/package.json +2 -2
package/readme.md +675 -446
package/readme.plan.md +311 -250
package/ts/00_commitinfo_data.ts +2 -2
package/ts/proxies/smart-proxy/index.ts +20 -4
package/ts/proxies/smart-proxy/models/index.ts +4 -0
package/ts/proxies/smart-proxy/models/interfaces.ts +91 -13
package/ts/proxies/smart-proxy/models/route-types.ts +184 -0
package/ts/proxies/smart-proxy/route-connection-handler.ts +1117 -0
package/ts/proxies/smart-proxy/route-helpers.ts +344 -0
package/ts/proxies/smart-proxy/route-manager.ts +587 -0
package/ts/proxies/smart-proxy/smart-proxy.ts +300 -69

package/readme.md CHANGED Viewed

@@ -2,16 +2,16 @@
 A unified high-performance proxy toolkit for Node.js, with **SmartProxy** as the central API to handle all your proxy needs:
-- **Unified Configuration API**: One consistent way to configure various proxy types
+- **Unified Route-Based Configuration**: Match/action pattern for clean, consistent traffic routing
 - **SSL/TLS Support**: Automatic HTTPS with Let's Encrypt certificate provisioning
-- **Simplified Domain Management**: Easy routing based on domain names with wildcard support
+- **Flexible Matching Patterns**: Route by port, domain, path, client IP, and TLS version
 - **Advanced SNI Handling**: Smart TCP/SNI-based forwarding with IP filtering
-- **Multiple Forwarding Types**: HTTP-only, HTTPS passthrough, TLS termination options
+- **Multiple Action Types**: Forward (with TLS modes), redirect, or block traffic
 - **Security Features**: IP allowlists, connection limits, timeouts, and more
 ## Project Architecture Overview
-SmartProxy has been restructured using a modern, modular architecture to improve maintainability and clarity:
+SmartProxy has been restructured using a modern, modular architecture with a unified route-based configuration system in v14.0.0:
 ```
 /ts
@@ -29,19 +29,17 @@ SmartProxy has been restructured using a modern, modular architecture to improve
 │   │   ├── http-handler.ts   # HTTP-only handler
 │   │   └── ...               # Other handlers
 │   ├── /config               # Configuration models
-│   │   ├── forwarding-types.ts     # Type definitions
-│   │   ├── domain-config.ts        # Domain config utilities
-│   │   └── domain-manager.ts       # Domain routing manager
 │   └── /factory              # Factory for creating handlers
 ├── /proxies                  # Different proxy implementations
 │   ├── /smart-proxy          # SmartProxy implementation
 │   │   ├── /models           # SmartProxy-specific interfaces
+│   │   │   ├── route-types.ts # Route-based configuration types
+│   │   │   └── interfaces.ts  # SmartProxy interfaces
+│   │   ├── route-helpers.ts  # Helper functions for creating routes
+│   │   ├── route-manager.ts  # Route management system
 │   │   ├── smart-proxy.ts    # Main SmartProxy class
 │   │   └── ...               # Supporting classes
 │   ├── /network-proxy        # NetworkProxy implementation
-│   │   ├── /models           # NetworkProxy-specific interfaces
-│   │   ├── network-proxy.ts  # Main NetworkProxy class
-│   │   └── ...               # Supporting classes
 │   └── /nftables-proxy       # NfTablesProxy implementation
 ├── /tls                      # TLS-specific functionality
 │   ├── /sni                  # SNI handling components
@@ -58,18 +56,20 @@ SmartProxy has been restructured using a modern, modular architecture to improve
 - **SmartProxy** (`ts/proxies/smart-proxy/smart-proxy.ts`)
   The central unified API for all proxy needs, featuring:
-  - Domain-based routing with SNI inspection
+  - Route-based configuration with match/action pattern
+  - Flexible matching criteria (ports, domains, paths, client IPs)
+  - Multiple action types (forward, redirect, block)
   - Automatic certificate management
-  - Multiple forwarding types in one configuration
   - Advanced security controls
-  - Flexible backend targeting options
 ### Helper Functions
-- **createDomainConfig**
-  Create domain configuration with clean syntax
-- **httpOnly**, **httpsPassthrough**, **tlsTerminateToHttp**, **tlsTerminateToHttps**
-  Helper functions to create different forwarding configurations
+- **createRoute**, **createHttpRoute**, **createHttpsRoute**, **createPassthroughRoute**
+  Helper functions to create different route configurations with clean syntax
+- **createRedirectRoute**, **createHttpToHttpsRedirect**, **createBlockRoute**
+  Helper functions for common redirect and security configurations
+- **createLoadBalancerRoute**, **createHttpsServer**
+  Helper functions for complex configurations
 ### Specialized Components
@@ -93,8 +93,8 @@ SmartProxy has been restructured using a modern, modular architecture to improve
 ### Interfaces and Types
-- `ISmartProxyOptions`, `IDomainConfig` (`ts/proxies/smart-proxy/models/interfaces.ts`)
-- `IForwardConfig`, `TForwardingType` (`ts/forwarding/config/forwarding-types.ts`)
+- `IRouteConfig`, `IRouteMatch`, `IRouteAction` (`ts/proxies/smart-proxy/models/route-types.ts`)
+- `IRoutedSmartProxyOptions` (`ts/proxies/smart-proxy/models/route-types.ts`)
 - `INetworkProxyOptions` (`ts/proxies/network-proxy/models/types.ts`)
 - `IAcmeOptions`, `IDomainOptions` (`ts/certificate/models/certificate-types.ts`)
 - `INfTableProxySettings` (`ts/proxies/nftables-proxy/models/interfaces.ts`)
@@ -105,51 +105,71 @@ Install via npm:
 npm install @push.rocks/smartproxy
 ```
-## Quick Start with SmartProxy
+## Quick Start with SmartProxy v14.0.0
-SmartProxy is the recommended way to use this library, providing a unified API for all proxy scenarios.
+SmartProxy v14.0.0 introduces a new unified route-based configuration system that makes configuring proxies more flexible and intuitive.
 ```typescript
-import { SmartProxy, createDomainConfig, httpOnly, tlsTerminateToHttp, httpsPassthrough } from '@push.rocks/smartproxy';
-// Create a new SmartProxy instance with all your domain configurations in one place
+import {
+  SmartProxy,
+  createHttpRoute,
+  createHttpsRoute,
+  createPassthroughRoute,
+  createHttpToHttpsRedirect
+} from '@push.rocks/smartproxy';
+// Create a new SmartProxy instance with route-based configuration
 const proxy = new SmartProxy({
-  // Listen on port 443 for incoming connections
-  fromPort: 443,
-  // Configure domains and their forwarding rules
-  domainConfigs: [
-    // Basic HTTP forwarding for api.example.com
-    createDomainConfig('api.example.com', httpOnly({
+  // Define all your routing rules in one array
+  routes: [
+    // Basic HTTP route - forward traffic from port 80 to internal service
+    createHttpRoute({
+      ports: 80,
+      domains: 'api.example.com',
       target: { host: 'localhost', port: 3000 }
-    })),
+    }),
-    // HTTPS termination with automatic Let's Encrypt certificates
-    createDomainConfig('secure.example.com', tlsTerminateToHttp({
+    // HTTPS route with TLS termination and automatic certificates
+    createHttpsRoute({
+      ports: 443,
+      domains: 'secure.example.com',
       target: { host: 'localhost', port: 8080 },
-      acme: {
-        enabled: true,
-        production: true
-      }
-    })),
-    // Multiple domains with wildcard support
-    createDomainConfig(['example.com', '*.example.com'], httpsPassthrough({
-      target: {
-        // Load balancing across multiple backend servers
-        host: ['192.168.1.10', '192.168.1.11'],
-        port: 443
-      },
+      certificate: 'auto'  // Use Let's Encrypt
+    }),
+    // HTTPS passthrough for legacy systems
+    createPassthroughRoute({
+      ports: 443,
+      domains: 'legacy.example.com',
+      target: { host: '192.168.1.10', port: 443 }
+    }),
+    // Redirect HTTP to HTTPS
+    createHttpToHttpsRedirect({
+      domains: ['example.com', '*.example.com']
+    }),
+    // Complex load balancer setup with security controls
+    createLoadBalancerRoute({
+      domains: ['app.example.com'],
+      targets: ['192.168.1.10', '192.168.1.11', '192.168.1.12'],
+      targetPort: 8080,
+      tlsMode: 'terminate',
+      certificate: 'auto',
       security: {
-        // IP filtering for enhanced security
         allowedIps: ['10.0.0.*', '192.168.1.*'],
-        blockedIps: ['1.2.3.4']
+        blockedIps: ['1.2.3.4'],
+        maxConnections: 1000
       }
-    }))
+    })
   ],
-  // Enable SNI-based routing
-  sniEnabled: true,
+  // Global settings that apply to all routes
+  defaults: {
+    security: {
+      maxConnections: 500
+    }
+  },
   // Automatic Let's Encrypt integration
   acme: {
@@ -167,65 +187,359 @@ proxy.on('certificate', evt => {
 // Start the proxy
 await proxy.start();
-// Dynamically add or update domain configurations later
-await proxy.updateDomainConfigs([
-  createDomainConfig('new-domain.com', tlsTerminateToHttp({
-    target: { host: 'localhost', port: 9000 }
-  }))
+// Dynamically add new routes later
+await proxy.addRoutes([
+  createHttpsRoute({
+    domains: 'new-domain.com',
+    target: { host: 'localhost', port: 9000 },
+    certificate: 'auto'
+  })
 ]);
 // Later, gracefully shut down
 await proxy.stop();
 ```
-### What You Can Do with SmartProxy
+## Route-Based Configuration System
+SmartProxy v14.0.0 introduces a new unified route configuration system based on the `IRouteConfig` interface. This system follows a match/action pattern that makes routing more powerful, flexible, and declarative.
+### IRouteConfig Interface
+The `IRouteConfig` interface is the core building block of SmartProxy's configuration system. Each route definition consists of match criteria and an action to perform on matched traffic:
+```typescript
+interface IRouteConfig {
+  // What traffic to match (required)
+  match: IRouteMatch;
+  // What to do with matched traffic (required)
+  action: IRouteAction;
+  // Metadata (all optional)
+  name?: string;             // Human-readable name for this route
+  description?: string;      // Description of the route's purpose
+  priority?: number;         // Controls matching order (higher = matched first)
+  tags?: string[];           // Arbitrary tags for categorization
+}
+```
+#### Match Criteria (IRouteMatch)
+The `match` property defines criteria for identifying which incoming traffic should be handled by this route:
+```typescript
+interface IRouteMatch {
+  // Listen on these ports (required)
+  ports: TPortRange;  // number | number[] | Array<{ from: number; to: number }>
+  // Optional domain patterns to match (default: all domains)
+  domains?: string | string[];  // Supports wildcards like '*.example.com'
+  // Advanced matching criteria (all optional)
+  path?: string;           // Match specific URL paths, supports glob patterns
+  clientIp?: string[];     // Match specific client IPs, supports glob patterns
+  tlsVersion?: string[];   // Match specific TLS versions e.g. ['TLSv1.2', 'TLSv1.3']
+}
+```
+**Port Specification:**
+- **Single port:** `ports: 80`
+- **Multiple ports:** `ports: [80, 443]`
+- **Port ranges:** `ports: [{ from: 8000, to: 8100 }]`
+- **Mixed format:** `ports: [80, 443, { from: 8000, to: 8100 }]`
+**Domain Matching:**
+- **Single domain:** `domains: 'example.com'`
+- **Multiple domains:** `domains: ['example.com', 'api.example.com']`
+- **Wildcard domains:** `domains: '*.example.com'` (matches any subdomain)
+- **Root domain + subdomains:** `domains: ['example.com', '*.example.com']`
+**Path Matching:**
+- **Exact path:** `path: '/api'` (matches only /api exactly)
+- **Prefix match:** `path: '/api/*'` (matches /api and any paths under it)
+- **Multiple patterns:** Use multiple routes with different priorities
+**Client IP Matching:**
+- **Exact IP:** `clientIp: ['192.168.1.1']`
+- **Subnet wildcards:** `clientIp: ['10.0.0.*', '192.168.1.*']`
+- **CIDR notation:** `clientIp: ['10.0.0.0/24']`
+**TLS Version Matching:**
+- `tlsVersion: ['TLSv1.2', 'TLSv1.3']` (only match these TLS versions)
+#### Action Configuration (IRouteAction)
+The `action` property defines what to do with traffic that matches the criteria:
+```typescript
+interface IRouteAction {
+  // Action type (required)
+  type: 'forward' | 'redirect' | 'block';
+  // For 'forward' actions
+  target?: IRouteTarget;
+  // TLS handling for 'forward' actions
+  tls?: IRouteTls;
+  // For 'redirect' actions
+  redirect?: IRouteRedirect;
+  // Security options for any action
+  security?: IRouteSecurity;
+  // Advanced options
+  advanced?: IRouteAdvanced;
+}
+```
+**Forward Action:**
+When `type: 'forward'`, the traffic is forwarded to the specified target:
+```typescript
+interface IRouteTarget {
+  host: string | string[];  // Target host(s) - string array enables round-robin
+  port: number;             // Target port
+  preservePort?: boolean;   // Use incoming port as target port (default: false)
+}
+```
+**TLS Configuration:**
+When forwarding with TLS, you can configure how TLS is handled:
+```typescript
+interface IRouteTls {
+  mode: 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
+  certificate?: 'auto' | {   // 'auto' = use ACME (Let's Encrypt)
+    key: string;            // TLS private key content
+    cert: string;           // TLS certificate content
+  };
+}
+```
+**TLS Modes:**
+- **passthrough:** Forward raw encrypted TLS traffic without decryption
+- **terminate:** Terminate TLS and forward as HTTP
+- **terminate-and-reencrypt:** Terminate TLS and create a new TLS connection to the backend
+**Redirect Action:**
+When `type: 'redirect'`, the client is redirected:
+```typescript
+interface IRouteRedirect {
+  to: string;                   // URL or template with variables
+  status: 301 | 302 | 307 | 308;  // HTTP status code
+}
+```
+**Block Action:**
+When `type: 'block'`, the connection is immediately closed.
+**Security Options:**
+For any action type, you can add security controls:
+```typescript
+interface IRouteSecurity {
+  allowedIps?: string[];     // IP allowlist with glob pattern support
+  blockedIps?: string[];     // IP blocklist with glob pattern support
+  maxConnections?: number;   // Maximum concurrent connections
+  authentication?: {         // Optional authentication (future support)
+    type: 'basic' | 'digest' | 'oauth';
+    // Auth-specific options
+  };
+}
+```
+**Advanced Options:**
+Additional advanced configurations:
+```typescript
+interface IRouteAdvanced {
+  timeout?: number;                 // Connection timeout in milliseconds
+  headers?: Record<string, string>; // Custom HTTP headers
+  keepAlive?: boolean;              // Enable connection pooling
+  // Additional advanced options
+}
+```
+#### Template Variables
+String values in redirect URLs and headers can include variables:
+- `{domain}`: The requested domain name
+- `{port}`: The incoming port number
+- `{path}`: The requested URL path
+- `{query}`: The query string
+- `{clientIp}`: The client's IP address
+- `{sni}`: The SNI hostname
+Example with template variables:
+```typescript
+redirect: {
+  to: 'https://{domain}{path}?source=redirect',
+  status: 301
+}
+```
+#### Route Metadata and Prioritization
+You can add metadata to routes to help with organization and control matching priority:
+```typescript
+{
+  name: 'API Server',                 // Human-readable name
+  description: 'Main API endpoints',  // Description
+  priority: 100,                      // Matching priority (higher = matched first)
+  tags: ['api', 'internal']           // Arbitrary tags
+}
+```
+Routes with higher priority values are matched first, allowing you to create specialized routes that take precedence over more general ones.
+#### Complete Route Configuration Example
+```typescript
+// Example of a complete route configuration
+{
+  match: {
+    ports: 443,
+    domains: ['api.example.com', 'api-v2.example.com'],
+    path: '/secure/*',
+    clientIp: ['10.0.0.*', '192.168.1.*']
+  },
+  action: {
+    type: 'forward',
+    target: {
+      host: ['10.0.0.1', '10.0.0.2'],  // Round-robin between these hosts
+      port: 8080
+    },
+    tls: {
+      mode: 'terminate',
+      certificate: 'auto'  // Use Let's Encrypt
+    },
+    security: {
+      allowedIps: ['10.0.0.*'],
+      maxConnections: 100
+    },
+    advanced: {
+      timeout: 30000,
+      headers: {
+        'X-Original-Host': '{domain}',
+        'X-Client-IP': '{clientIp}'
+      },
+      keepAlive: true
+    }
+  },
+  name: 'Secure API Route',
+  description: 'Route for secure API endpoints with authentication',
+  priority: 100,
+  tags: ['api', 'secure', 'internal']
+}
+```
+### Using Helper Functions
+While you can create route configurations manually, SmartProxy provides helper functions to make it easier:
+```typescript
+// Instead of building the full object:
+const route = {
+  match: { ports: 80, domains: 'example.com' },
+  action: { type: 'forward', target: { host: 'localhost', port: 8080 } },
+  name: 'Web Server'
+};
+// Use the helper function:
+const route = createHttpRoute({
+  domains: 'example.com',
+  target: { host: 'localhost', port: 8080 },
+  name: 'Web Server'
+});
+```
+Available helper functions:
+- `createRoute()` - Basic function to create any route configuration
+- `createHttpRoute()` - Create an HTTP forwarding route
+- `createHttpsRoute()` - Create an HTTPS route with TLS termination
+- `createPassthroughRoute()` - Create an HTTPS passthrough route
+- `createRedirectRoute()` - Create a generic redirect route
+- `createHttpToHttpsRedirect()` - Create an HTTP to HTTPS redirect
+- `createBlockRoute()` - Create a route to block specific traffic
+- `createLoadBalancerRoute()` - Create a route for load balancing
+- `createHttpsServer()` - Create a complete HTTPS server setup with HTTP redirect
-1. **Domain-Based Routing**
+## What You Can Do with SmartProxy
+1. **Route-Based Traffic Management**
    ```typescript
    // Route requests for different domains to different backend servers
-   createDomainConfig('api.example.com', httpOnly({
-     target: { host: 'api-server', port: 3000 }
-   }))
+   createHttpsRoute({
+     domains: 'api.example.com',
+     target: { host: 'api-server', port: 3000 },
+     certificate: 'auto'
+   })
    ```
 2. **Automatic SSL with Let's Encrypt**
    ```typescript
    // Get and automatically renew certificates
-   createDomainConfig('secure.example.com', tlsTerminateToHttp({
+   createHttpsRoute({
+     domains: 'secure.example.com',
      target: { host: 'localhost', port: 8080 },
-     acme: { enabled: true, production: true }
-   }))
+     certificate: 'auto'
+   })
    ```
 3. **Load Balancing**
    ```typescript
    // Distribute traffic across multiple backend servers
-   createDomainConfig('app.example.com', httpOnly({
-     target: {
-       host: ['10.0.0.1', '10.0.0.2', '10.0.0.3'],
-       port: 8080
-     }
-   }))
+   createLoadBalancerRoute({
+     domains: 'app.example.com',
+     targets: ['10.0.0.1', '10.0.0.2', '10.0.0.3'],
+     targetPort: 8080,
+     tlsMode: 'terminate',
+     certificate: 'auto'
+   })
    ```
 4. **Security Controls**
    ```typescript
    // Restrict access based on IP addresses
-   createDomainConfig('admin.example.com', httpOnly({
+   createHttpsRoute({
+     domains: 'admin.example.com',
      target: { host: 'localhost', port: 8080 },
+     certificate: 'auto',
      security: {
        allowedIps: ['10.0.0.*', '192.168.1.*'],
        maxConnections: 100
      }
-   }))
+   })
    ```
 5. **Wildcard Domains**
    ```typescript
    // Handle all subdomains with one config
-   createDomainConfig(['example.com', '*.example.com'], httpsPassthrough({
+   createPassthroughRoute({
+     domains: ['example.com', '*.example.com'],
      target: { host: 'backend-server', port: 443 }
-   }))
+   })
+   ```
+6. **Path-Based Routing**
+   ```typescript
+   // Route based on URL path
+   createHttpsRoute({
+     domains: 'example.com',
+     path: '/api/*',
+     target: { host: 'api-server', port: 3000 },
+     certificate: 'auto'
+   })
+   ```
+7. **Block Malicious Traffic**
+   ```typescript
+   // Block traffic from specific IPs
+   createBlockRoute({
+     ports: [80, 443],
+     clientIp: ['1.2.3.*', '5.6.7.*'],
+     priority: 1000  // High priority to ensure blocking
+   })
    ```
 ## Other Components
@@ -293,13 +607,57 @@ const redirect = new SslRedirect(80);
 await redirect.start();
 ```
-## API Reference
-For full configuration options and type definitions, see the TypeScript interfaces:
-- `INetworkProxyOptions` (`ts/proxies/network-proxy/models/types.ts`)
-- `IAcmeOptions`, `IDomainOptions` (`ts/certificate/models/certificate-types.ts`)
-- `IForwardConfig` (`ts/forwarding/config/forwarding-types.ts`)
-- `INfTableProxySettings` (`ts/proxies/nftables-proxy/models/interfaces.ts`)
-- `ISmartProxyOptions`, `IDomainConfig` (`ts/proxies/smart-proxy/models/interfaces.ts`)
+## Migration from v13.x to v14.0.0
+Version 14.0.0 introduces a breaking change with the new route-based configuration system:
+### Key Changes
+1. **Configuration Structure**: The configuration now uses the match/action pattern instead of the old domain-based and port-based approach
+2. **SmartProxy Options**: Now takes an array of route configurations instead of `domainConfigs` and port ranges
+3. **Helper Functions**: New helper functions have been introduced to simplify configuration
+### Migration Example
+**v13.x Configuration**:
+```typescript
+import { SmartProxy, createDomainConfig, httpOnly, tlsTerminateToHttp } from '@push.rocks/smartproxy';
+const proxy = new SmartProxy({
+  fromPort: 443,
+  domainConfigs: [
+    createDomainConfig('example.com', tlsTerminateToHttp({
+      target: { host: 'localhost', port: 8080 },
+      acme: { enabled: true, production: true }
+    }))
+  ],
+  sniEnabled: true
+});
+```
+**v14.0.0 Configuration**:
+```typescript
+import { SmartProxy, createHttpsRoute } from '@push.rocks/smartproxy';
+const proxy = new SmartProxy({
+  routes: [
+    createHttpsRoute({
+      ports: 443,
+      domains: 'example.com',
+      target: { host: 'localhost', port: 8080 },
+      certificate: 'auto'
+    })
+  ]
+});
+```
+### Migration Steps
+1. Replace `domainConfigs` with an array of route configurations using `routes`
+2. Convert each domain configuration to use the new helper functions
+3. Update any code that uses `updateDomainConfigs()` to use `addRoutes()` or `updateRoutes()`
+4. For port-only configurations, create route configurations with port matching only
+5. For SNI-based routing, SNI is now automatically enabled when needed
 ## Architecture & Flow Diagrams
@@ -309,11 +667,10 @@ flowchart TB
     subgraph "SmartProxy Components"
         direction TB
-        HTTP80["HTTP Port 80<br>Redirect / SslRedirect"]
+        RouteConfig["Route Configuration<br>(Match/Action)"]
+        RouteManager["Route Manager"]
         HTTPS443["HTTPS Port 443<br>NetworkProxy"]
         SmartProxy["SmartProxy<br>(TCP/SNI Proxy)"]
-        NfTables[NfTablesProxy]
-        Router[ProxyRouter]
         ACME["Port80Handler<br>(ACME HTTP-01)"]
         Certs[(SSL Certificates)]
     end
@@ -324,188 +681,110 @@ flowchart TB
         Service3[Service 3]
     end
-    Client -->|HTTP Request| HTTP80
-    HTTP80 -->|Redirect| Client
-    Client -->|HTTPS Request| HTTPS443
-    Client -->|TLS/TCP| SmartProxy
-    HTTPS443 -->|Route Request| Router
-    Router -->|Proxy Request| Service1
-    Router -->|Proxy Request| Service2
+    Client -->|HTTP/HTTPS Request| SmartProxy
-    SmartProxy -->|Direct TCP| Service2
-    SmartProxy -->|Direct TCP| Service3
+    SmartProxy -->|Route Matching| RouteManager
+    RouteManager -->|Use| RouteConfig
+    RouteManager -->|Execute Action| SmartProxy
-    NfTables -.->|Low-level forwarding| SmartProxy
+    SmartProxy -->|Forward| Service1
+    SmartProxy -->|Redirect| Client
+    SmartProxy -->|Forward| Service2
+    SmartProxy -->|Forward| Service3
-    HTTP80 -.->|Challenge Response| ACME
     ACME -.->|Generate/Manage| Certs
-    Certs -.->|Provide TLS Certs| HTTPS443
+    Certs -.->|Provide TLS Certs| SmartProxy
     classDef component fill:#f9f,stroke:#333,stroke-width:2px;
     classDef backend fill:#bbf,stroke:#333,stroke-width:1px;
     classDef client fill:#dfd,stroke:#333,stroke-width:2px;
     class Client client;
-    class HTTP80,HTTPS443,SmartProxy,NfTables,Router,ACME component;
+    class RouteConfig,RouteManager,HTTPS443,SmartProxy,ACME component;
     class Service1,Service2,Service3 backend;
 ```
-### HTTPS Reverse Proxy Flow
-This diagram shows how HTTPS requests are handled and proxied to backend services:
+### Route-Based Connection Handling
+This diagram illustrates how requests are matched and processed using the route-based configuration:
 ```mermaid
 sequenceDiagram
     participant Client
-    participant NetworkProxy
-    participant ProxyRouter
+    participant SmartProxy
+    participant RouteManager
     participant Backend
-    Client->>NetworkProxy: HTTPS Request
+    Client->>SmartProxy: Connection (TCP/HTTP/HTTPS)
-    Note over NetworkProxy: TLS Termination
+    SmartProxy->>RouteManager: Match connection against routes
-    NetworkProxy->>ProxyRouter: Route Request
-    ProxyRouter->>ProxyRouter: Match hostname to config
+    RouteManager->>RouteManager: Check port match
+    RouteManager->>RouteManager: Check domain match (if SNI)
+    RouteManager->>RouteManager: Check path match (if HTTP)
+    RouteManager->>RouteManager: Check client IP match
+    RouteManager->>RouteManager: Check TLS version match
-    alt Authentication Required
-        NetworkProxy->>Client: Request Authentication
-        Client->>NetworkProxy: Send Credentials
-        NetworkProxy->>NetworkProxy: Validate Credentials
-    end
+    RouteManager->>RouteManager: Determine highest priority matching route
-    NetworkProxy->>Backend: Forward Request
-    Backend->>NetworkProxy: Response
-    Note over NetworkProxy: Add Default Headers
-    NetworkProxy->>Client: Forward Response
-    alt WebSocket Request
-        Client->>NetworkProxy: Upgrade to WebSocket
-        NetworkProxy->>Backend: Upgrade to WebSocket
-        loop WebSocket Active
-            Client->>NetworkProxy: WebSocket Message
-            NetworkProxy->>Backend: Forward Message
-            Backend->>NetworkProxy: WebSocket Message
-            NetworkProxy->>Client: Forward Message
-            NetworkProxy-->>NetworkProxy: Heartbeat Check
-        end
-    end
-```
-### SNI-based Connection Handling
-This diagram illustrates how TCP connections with SNI (Server Name Indication) are processed and forwarded:
-```mermaid
-sequenceDiagram
-    participant Client
-    participant SmartProxy
-    participant Backend
-    Client->>SmartProxy: TLS Connection
-    alt SNI Enabled
-        SmartProxy->>Client: Accept Connection
-        Client->>SmartProxy: TLS ClientHello with SNI
-        SmartProxy->>SmartProxy: Extract SNI Hostname
-        SmartProxy->>SmartProxy: Match Domain Config
-        SmartProxy->>SmartProxy: Validate Client IP
+    alt Forward Action
+        RouteManager->>SmartProxy: Use forward action
-        alt IP Allowed
-            SmartProxy->>Backend: Forward Connection
-            Note over SmartProxy,Backend: Bidirectional Data Flow
-        else IP Rejected
-            SmartProxy->>Client: Close Connection
+        alt TLS Termination
+            SmartProxy->>SmartProxy: Terminate TLS
+            SmartProxy->>Backend: Forward as HTTP/HTTPS
+        else TLS Passthrough
+            SmartProxy->>Backend: Forward raw TCP
         end
-    else Port-based Routing
-        SmartProxy->>SmartProxy: Match Port Range
-        SmartProxy->>SmartProxy: Find Domain Config
-        SmartProxy->>SmartProxy: Validate Client IP
-        alt IP Allowed
-            SmartProxy->>Backend: Forward Connection
-            Note over SmartProxy,Backend: Bidirectional Data Flow
-        else IP Rejected
-            SmartProxy->>Client: Close Connection
-        end
+    else Redirect Action
+        RouteManager->>SmartProxy: Use redirect action
+        SmartProxy->>Client: Send redirect response
+    else Block Action
+        RouteManager->>SmartProxy: Use block action
+        SmartProxy->>Client: Close connection
     end
     loop Connection Active
         SmartProxy-->>SmartProxy: Monitor Activity
-        SmartProxy-->>SmartProxy: Check Max Lifetime
-        alt Inactivity or Max Lifetime Exceeded
+        SmartProxy-->>SmartProxy: Check Security Rules
+        alt Security Violation or Timeout
             SmartProxy->>Client: Close Connection
             SmartProxy->>Backend: Close Connection
         end
     end
 ```
-### Let's Encrypt Certificate Acquisition
-This diagram shows how certificates are automatically acquired through the ACME protocol:
-```mermaid
-sequenceDiagram
-    participant Client
-    participant Port80Handler
-    participant ACME as Let's Encrypt ACME
-    participant NetworkProxy
-    Client->>Port80Handler: HTTP Request for domain
-    alt Certificate Exists
-        Port80Handler->>Client: Redirect to HTTPS
-    else No Certificate
-        Port80Handler->>Port80Handler: Mark domain as obtaining cert
-        Port80Handler->>ACME: Create account & new order
-        ACME->>Port80Handler: Challenge information
-        Port80Handler->>Port80Handler: Store challenge token & key authorization
-        ACME->>Port80Handler: HTTP-01 Challenge Request
-        Port80Handler->>ACME: Challenge Response
-        ACME->>ACME: Validate domain ownership
-        ACME->>Port80Handler: Challenge validated
-        Port80Handler->>Port80Handler: Generate CSR
-        Port80Handler->>ACME: Submit CSR
-        ACME->>Port80Handler: Issue Certificate
-        Port80Handler->>Port80Handler: Store certificate & private key
-        Port80Handler->>Port80Handler: Mark certificate as obtained
-        Note over Port80Handler,NetworkProxy: Certificate available for use
-        Client->>Port80Handler: Another HTTP Request
-        Port80Handler->>Client: Redirect to HTTPS
-        Client->>NetworkProxy: HTTPS Request
-        Note over NetworkProxy: Uses new certificate
-    end
-```
 ## Features
-- HTTP/HTTPS Reverse Proxy (NetworkProxy)
-  • TLS termination, virtual-host routing, HTTP/2 & WebSocket support, pooling & metrics
+- **Route-Based Traffic Management**
+  • Match/action pattern for flexible routing
+  • Port, domain, path, client IP, and TLS version matching
+  • Multiple action types (forward, redirect, block)
-- Automatic ACME Certificates (Port80Handler)
-  • HTTP-01 challenge handling, certificate issuance/renewal, pluggable storage
+- **TLS Handling Options**
+  • TLS passthrough for end-to-end encryption
+  • TLS termination for content inspection
+  • TLS termination with re-encryption for gateway scenarios
-- Low-Level Port Forwarding (NfTablesProxy)
-  • nftables NAT rules for ports/ranges, IPv4/IPv6, IP filtering, QoS & ipset support
+- **Automatic ACME Certificates**
+  • HTTP-01 challenge handling
+  • Certificate issuance/renewal
+  • Pluggable storage
-- Custom Redirects (Redirect / SslRedirect)
-  • URL redirects with wildcard host/path, template variables & status codes
+- **Security Controls**
+  • IP allow/block lists with glob pattern support
+  • Connection limits and rate limiting
+  • Timeout controls and connection monitoring
-- TCP/SNI Proxy (SmartProxy)
-  • SNI-based routing, IP allow/block lists, port ranges, timeouts & graceful shutdown
+- **Load Balancing**
+  • Round-robin distribution across multiple backends
+  • Health checks and failure handling
-- SNI Utilities (SniHandler)
-  • Robust ClientHello parsing, fragmentation & session resumption support
-- Core Utilities
-  • ValidationUtils and IpUtils for configuration validation and IP management
+- **Advanced Features**
+  • Custom header manipulation
+  • Template variables for dynamic values
+  • Priority-based route matching
 ## Certificate Hooks & Events
@@ -520,176 +799,171 @@ Provide a `certProvisionFunction(domain)` in SmartProxy settings to supply stati
 ## SmartProxy: Common Use Cases
-The SmartProxy component offers a clean, unified approach to handle virtually any proxy scenario.
+The SmartProxy component with route-based configuration offers a clean, unified approach to handle virtually any proxy scenario.
 ### 1. API Gateway / Backend Routing
-Create a flexible API gateway to route traffic to different microservices based on domain:
+Create a flexible API gateway to route traffic to different microservices based on domain and path:
 ```typescript
-import { SmartProxy, createDomainConfig, httpOnly, tlsTerminateToHttp } from '@push.rocks/smartproxy';
+import { SmartProxy, createHttpsRoute } from '@push.rocks/smartproxy';
 const apiGateway = new SmartProxy({
-  fromPort: 443,
-  domainConfigs: [
+  routes: [
     // Users API
-    createDomainConfig('users.api.example.com', tlsTerminateToHttp({
+    createHttpsRoute({
+      ports: 443,
+      domains: 'api.example.com',
+      path: '/users/*',
       target: { host: 'users-service', port: 3000 },
-      acme: { enabled: true, production: true }
-    })),
+      certificate: 'auto'
+    }),
     // Products API
-    createDomainConfig('products.api.example.com', tlsTerminateToHttp({
+    createHttpsRoute({
+      ports: 443,
+      domains: 'api.example.com',
+      path: '/products/*',
       target: { host: 'products-service', port: 3001 },
-      acme: { enabled: true, production: true }
-    })),
+      certificate: 'auto'
+    }),
-    // Admin dashboard gets extra security
-    createDomainConfig('admin.example.com', tlsTerminateToHttp({
+    // Admin dashboard with extra security
+    createHttpsRoute({
+      ports: 443,
+      domains: 'admin.example.com',
       target: { host: 'admin-dashboard', port: 8080 },
+      certificate: 'auto',
       security: {
         allowedIps: ['10.0.0.*', '192.168.1.*'] // Only allow internal network
       }
-    }))
-  ],
-  sniEnabled: true
-});
-await apiGateway.start();
-```
-### 2. Automatic HTTPS for Development
-Easily add HTTPS to your local development environment with automatic certificates:
-```typescript
-import { SmartProxy, createDomainConfig, tlsTerminateToHttp } from '@push.rocks/smartproxy';
-const devProxy = new SmartProxy({
-  fromPort: 443,
-  domainConfigs: [
-    createDomainConfig('dev.local', tlsTerminateToHttp({
-      target: { host: 'localhost', port: 3000 },
-      // For development, use self-signed or existing certificates
-      https: {
-        customCert: {
-          key: fs.readFileSync('dev-cert.key', 'utf8'),
-          cert: fs.readFileSync('dev-cert.pem', 'utf8')
-        }
-      },
-      // Auto-redirect HTTP to HTTPS
-      http: {
-        enabled: true,
-        redirectToHttps: true
-      }
-    }))
+    })
   ]
 });
-await devProxy.start();
+await apiGateway.start();
 ```
-### 3. Load Balancing Multiple Servers
+### 2. Complete HTTPS Server with HTTP Redirect
-Distribute traffic across multiple backend servers with round-robin load balancing:
+Easily set up a secure HTTPS server with automatic redirection from HTTP:
 ```typescript
-import { SmartProxy, createDomainConfig, tlsTerminateToHttp } from '@push.rocks/smartproxy';
+import { SmartProxy, createHttpsServer } from '@push.rocks/smartproxy';
-const loadBalancer = new SmartProxy({
-  fromPort: 443,
-  domainConfigs: [
-    createDomainConfig('app.example.com', tlsTerminateToHttp({
-      target: {
-        // Round-robin across multiple servers
-        host: [
-          '10.0.0.10',
-          '10.0.0.11',
-          '10.0.0.12'
-        ],
-        port: 8080
-      },
-      acme: { enabled: true, production: true }
-    }))
+const webServer = new SmartProxy({
+  routes: [
+    // createHttpsServer creates both the HTTPS route and HTTP redirect
+    ...createHttpsServer({
+      domains: 'example.com',
+      target: { host: 'localhost', port: 8080 },
+      certificate: 'auto',
+      addHttpRedirect: true
+    })
   ]
 });
-await loadBalancer.start();
+await webServer.start();
 ```
-### 4. Wildcard Subdomain Handling
+### 3. Multi-Tenant Application with Wildcard Domains
-Support multiple or dynamically created subdomains with one configuration:
+Support dynamically created tenants with wildcard domain matching:
 ```typescript
-import { SmartProxy, createDomainConfig, tlsTerminateToHttp } from '@push.rocks/smartproxy';
-const multiTenantProxy = new SmartProxy({
-  fromPort: 443,
-  domainConfigs: [
-    // Handle all customer subdomains with one config
-    createDomainConfig('*.example.com', tlsTerminateToHttp({
+import { SmartProxy, createHttpsRoute, createHttpToHttpsRedirect } from '@push.rocks/smartproxy';
+const multiTenantApp = new SmartProxy({
+  routes: [
+    // Handle all tenant subdomains with one route
+    createHttpsRoute({
+      ports: 443,
+      domains: '*.example.com',
       target: { host: 'tenant-router', port: 8080 },
-      acme: { enabled: true, production: true },
+      certificate: 'auto',
       // Pass original hostname to backend for tenant identification
       advanced: {
         headers: {
           'X-Original-Host': '{sni}'
         }
       }
-    }))
-  ],
-  sniEnabled: true
+    }),
+    // Redirect HTTP to HTTPS for all subdomains
+    createHttpToHttpsRedirect({
+      domains: ['*.example.com']
+    })
+  ]
 });
-await multiTenantProxy.start();
+await multiTenantApp.start();
 ```
-### 5. Comprehensive Proxy Server
+### 4. Complex Multi-Service Infrastructure
-Create a complete proxy solution with multiple services on a single server:
+Create a comprehensive proxy solution with multiple services and security controls:
 ```typescript
-import { SmartProxy, createDomainConfig, httpOnly, tlsTerminateToHttp, tlsTerminateToHttps, httpsPassthrough } from '@push.rocks/smartproxy';
+import {
+  SmartProxy,
+  createHttpsRoute,
+  createPassthroughRoute,
+  createBlockRoute,
+  createHttpToHttpsRedirect
+} from '@push.rocks/smartproxy';
 const enterpriseProxy = new SmartProxy({
-  fromPort: 443,
-  domainConfigs: [
+  routes: [
     // Web application with automatic HTTPS
-    createDomainConfig('app.example.com', tlsTerminateToHttp({
+    createHttpsRoute({
+      ports: 443,
+      domains: 'app.example.com',
       target: { host: 'web-app', port: 8080 },
-      acme: { enabled: true, production: true },
-      http: { enabled: true, redirectToHttps: true }
-    })),
+      certificate: 'auto'
+    }),
     // Legacy system that needs HTTPS passthrough
-    createDomainConfig('legacy.example.com', httpsPassthrough({
+    createPassthroughRoute({
+      ports: 443,
+      domains: 'legacy.example.com',
       target: { host: 'legacy-server', port: 443 }
-    })),
+    }),
     // Internal APIs with IP restrictions
-    createDomainConfig('api.internal.example.com', tlsTerminateToHttp({
+    createHttpsRoute({
+      ports: 443,
+      domains: 'api.internal.example.com',
       target: { host: 'api-gateway', port: 3000 },
+      certificate: 'auto',
       security: {
         allowedIps: ['10.0.0.0/16', '192.168.0.0/16'],
         maxConnections: 500
       }
-    })),
-    // External services with customer certificate
-    createDomainConfig('external.example.com', tlsTerminateToHttps({
-      target: { host: 'external-service', port: 8443 },
-      https: {
-        customCert: {
-          key: fs.readFileSync('external-key.pem', 'utf8'),
-          cert: fs.readFileSync('external-cert.pem', 'utf8')
-        }
-      }
-    }))
+    }),
+    // Block known malicious IPs
+    createBlockRoute({
+      ports: [80, 443],
+      clientIp: ['1.2.3.*', '5.6.7.*'],
+      priority: 1000
+    }),
+    // Redirect all HTTP to HTTPS
+    createHttpToHttpsRedirect({
+      domains: ['*.example.com', 'example.com']
+    })
   ],
-  sniEnabled: true,
+  // Global settings that apply to all routes
+  defaults: {
+    security: {
+      maxConnections: 1000
+    }
+  },
   // Enable connection timeouts for security
   inactivityTimeout: 30000,
   // Using global certificate management
   acme: {
     enabled: true,
@@ -702,116 +976,86 @@ const enterpriseProxy = new SmartProxy({
 await enterpriseProxy.start();
 ```
-## Unified Forwarding System Details
+## Route-Based Configuration Details
-SmartProxy's unified forwarding system supports four primary forwarding types:
+### Match Criteria Options
-1. **HTTP-only (`http-only`)**: Forwards HTTP traffic to a backend server.
-2. **HTTPS Passthrough (`https-passthrough`)**: Passes through raw TLS traffic without termination (SNI forwarding).
-3. **HTTPS Termination to HTTP (`https-terminate-to-http`)**: Terminates TLS and forwards the decrypted traffic to an HTTP backend.
-4. **HTTPS Termination to HTTPS (`https-terminate-to-https`)**: Terminates TLS and creates a new TLS connection to an HTTPS backend.
+- **ports**: `number | number[] | Array<{ from: number; to: number }>` (required)
+  Listen on specific ports or port ranges
-### Configuration Format
+- **domains**: `string | string[]` (optional)
+  Match specific domain names, supports wildcards (e.g., `*.example.com`)
-Each domain is configured with a forwarding type and target:
+- **path**: `string` (optional)
+  Match specific URL paths, supports glob patterns
-```typescript
-{
-  domains: ['example.com'],  // Single domain or array of domains (with wildcard support)
-  forwarding: {
-    type: 'http-only',       // One of the four forwarding types
-    target: {
-      host: 'localhost',     // Backend server (string or array for load balancing)
-      port: 3000             // Backend port
-    }
-    // Additional options as needed
-  }
-}
-```
+- **clientIp**: `string[]` (optional)
+  Match client IP addresses, supports glob patterns
-### Helper Functions
+- **tlsVersion**: `string[]` (optional)
+  Match specific TLS versions (e.g., `TLSv1.2`, `TLSv1.3`)
-Helper functions provide a cleaner syntax for creating configurations:
+### Action Types
-```typescript
-// Instead of manually specifying the type and format
-const config = createDomainConfig('example.com', httpOnly({
-  target: { host: 'localhost', port: 3000 }
-}));
-// Available helper functions:
-// - httpOnly() - For HTTP-only traffic
-// - httpsPassthrough() - For SNI-based passthrough
-// - tlsTerminateToHttp() - For HTTPS termination to HTTP
-// - tlsTerminateToHttps() - For HTTPS termination to HTTPS
-```
+1. **Forward**:
+   ```typescript
+   {
+     type: 'forward',
+     target: { host: 'localhost', port: 8080 },
+     tls: { mode: 'terminate', certificate: 'auto' }
+   }
+   ```
-### Advanced Configuration Options
+2. **Redirect**:
+   ```typescript
+   {
+     type: 'redirect',
+     redirect: { to: 'https://{domain}{path}', status: 301 }
+   }
+   ```
-For more complex scenarios, additional options can be specified:
+3. **Block**:
+   ```typescript
+   {
+     type: 'block'
+   }
+   ```
-```typescript
-createDomainConfig('api.example.com', tlsTerminateToHttps({
-  // Target configuration with load balancing
-  target: {
-    host: ['10.0.0.10', '10.0.0.11'], // Round-robin load balancing
-    port: 8443
-  },
+### TLS Modes
-  // HTTP options
-  http: {
-    enabled: true,                   // Listen on HTTP port
-    redirectToHttps: true            // Automatically redirect to HTTPS
-  },
+- **passthrough**: Forward raw TLS traffic without decryption
+- **terminate**: Terminate TLS and forward as HTTP
+- **terminate-and-reencrypt**: Terminate TLS and create a new TLS connection to the backend
-  // HTTPS/TLS options
-  https: {
-    customCert: {                    // Provide your own certificate
-      key: '-----BEGIN PRIVATE KEY-----\n...',
-      cert: '-----BEGIN CERTIFICATE-----\n...'
-    },
-    forwardSni: true                 // Forward original SNI to backend
-  },
+### Template Variables
-  // Let's Encrypt ACME integration
-  acme: {
-    enabled: true,                   // Enable automatic certificates
-    production: true,                // Use production Let's Encrypt
-    maintenance: true                // Auto-renew certificates
-  },
+Template variables can be used in string values:
-  // Security settings
-  security: {
-    allowedIps: ['10.0.0.*'],        // IP allowlist (glob patterns)
-    blockedIps: ['1.2.3.4'],         // IP blocklist
-    maxConnections: 100              // Connection limits
-  },
+- `{domain}`: The requested domain name
+- `{port}`: The incoming port number
+- `{path}`: The requested URL path
+- `{query}`: The query string
+- `{clientIp}`: The client's IP address
+- `{sni}`: The SNI hostname
-  // Advanced settings
-  advanced: {
-    timeout: 30000,                  // Connection timeout in ms
-    headers: {                       // Custom headers to backend
-      'X-Forwarded-For': '{clientIp}',
-      'X-Original-Host': '{sni}'     // Template variables available
-    },
-    keepAlive: true                  // Keep connections alive
-  }
-}))
+Example:
+```typescript
+createRedirectRoute({
+  domains: 'old.example.com',
+  redirectTo: 'https://new.example.com{path}?source=redirect'
+})
 ```
-### Extended Configuration Options
-#### IForwardConfig
-- `type`: 'http-only' | 'https-passthrough' | 'https-terminate-to-http' | 'https-terminate-to-https'
-- `target`: { host: string | string[], port: number }
-- `http?`: { enabled?: boolean, redirectToHttps?: boolean, headers?: Record<string, string> }
-- `https?`: { customCert?: { key: string, cert: string }, forwardSni?: boolean }
-- `acme?`: { enabled?: boolean, maintenance?: boolean, production?: boolean, forwardChallenges?: { host: string, port: number, useTls?: boolean } }
-- `security?`: { allowedIps?: string[], blockedIps?: string[], maxConnections?: number }
-- `advanced?`: { portRanges?: Array<{ from: number, to: number }>, networkProxyPort?: number, keepAlive?: boolean, timeout?: number, headers?: Record<string, string> }
 ## Configuration Options
+### SmartProxy (IRoutedSmartProxyOptions)
+- `routes` (IRouteConfig[], required) - Array of route configurations
+- `defaults` (object) - Default settings for all routes
+- `acme` (IAcmeOptions) - ACME certificate options
+- Connection timeouts: `initialDataTimeout`, `socketTimeout`, `inactivityTimeout`, etc.
+- Socket opts: `noDelay`, `keepAlive`, `enableKeepAliveProbes`
+- `certProvisionFunction` (callback) - Custom certificate provisioning
 ### NetworkProxy (INetworkProxyOptions)
 - `port` (number, required)
 - `backendProtocol` ('http1'|'http2', default 'http1')
@@ -844,25 +1088,22 @@ createDomainConfig('api.example.com', tlsTerminateToHttps({
 - `useIPSets` (boolean, default true)
 - `qos`, `netProxyIntegration` (objects)
-### Redirect / SslRedirect
-- Constructor options: `httpPort`, `httpsPort`, `sslOptions`, `rules` (IRedirectRule[])
-### SmartProxy (ISmartProxyOptions)
-- `fromPort`, `toPort` (number)
-- `domainConfigs` (IDomainConfig[]) - Using unified forwarding configuration
-- `sniEnabled`, `preserveSourceIP` (booleans)
-- `defaultAllowedIPs`, `defaultBlockedIPs` (string[]) - Default IP allowlists/blocklists
-- Timeouts: `initialDataTimeout`, `socketTimeout`, `inactivityTimeout`, etc.
-- Socket opts: `noDelay`, `keepAlive`, `enableKeepAliveProbes`
-- `acme` (IAcmeOptions), `certProvisionFunction` (callback)
-- `useNetworkProxy` (number[]), `networkProxyPort` (number)
-- `globalPortRanges` (Array<{ from: number; to: number }>)
 ## Troubleshooting
+### SmartProxy
+- If routes aren't matching as expected, check their priorities
+- For domain matching issues, verify SNI extraction is working
+- Use higher priority for block routes to ensure they take precedence
+- Enable `enableDetailedLogging` or `enableTlsDebugLogging` for debugging
+### TLS/Certificates
+- For certificate issues, check the ACME settings and domain validation
+- Ensure domains are publicly accessible for Let's Encrypt validation
+- For TLS handshake issues, increase `initialDataTimeout` and `maxPendingDataSize`
 ### NetworkProxy
 - Verify ports, certificates and `rejectUnauthorized` for TLS errors
-- Configure CORS or use `addDefaultHeaders` for preflight issues
+- Configure CORS for preflight issues
 - Increase `maxConnections` or `connectionPoolSize` under load
 ### Port80Handler
@@ -873,18 +1114,6 @@ createDomainConfig('api.example.com', tlsTerminateToHttps({
 - Ensure `nft` is installed and run with sufficient privileges
 - Use `forceCleanSlate:true` to clear conflicting rules
-### Redirect / SslRedirect
-- Check `fromHost`/`fromPath` patterns and Host headers
-- Validate `sslOptions` key/cert correctness
-### SmartProxy & SniHandler
-- Increase `initialDataTimeout`/`maxPendingDataSize` for large ClientHello
-- Enable `enableTlsDebugLogging` to trace handshake
-- Ensure `allowSessionTicket` and fragmentation support for resumption
-- Double-check forwarding configuration to ensure correct `type` for your use case
-- Use helper functions like `httpOnly()`, `httpsPassthrough()`, etc. to create correct configurations
-- For IP filtering issues, check the `security.allowedIps` and `security.blockedIps` settings
 ## License and Legal Information
 This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository.