@push.rocks/smartproxy 21.1.7 → 22.6.0

package/dist_ts/routing/models/http-types.js

@@ -1,7 +1,95 @@
 /**
- * This file re-exports HTTP types from the HttpProxy module
- * for backward compatibility. All HTTP types are now consolidated
- * in the HttpProxy module.
+ * HTTP types for routing module.
+ * These were previously in http-proxy and are now self-contained here.
  */
-export * from '../../proxies/http-proxy/models/http-types.js';
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaHR0cC10eXBlcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL3JvdXRpbmcvbW9kZWxzL2h0dHAtdHlwZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUE7Ozs7R0FJRztBQUNILGNBQWMsK0NBQStDLENBQUMifQ==
+import * as plugins from '../../plugins.js';
+import { HttpStatus as ProtocolHttpStatus, getStatusText as getProtocolStatusText } from '../../protocols/http/index.js';
+/**
+ * HTTP-specific event types
+ */
+export var HttpEvents;
+(function (HttpEvents) {
+    HttpEvents["REQUEST_RECEIVED"] = "request-received";
+    HttpEvents["REQUEST_FORWARDED"] = "request-forwarded";
+    HttpEvents["REQUEST_HANDLED"] = "request-handled";
+    HttpEvents["REQUEST_ERROR"] = "request-error";
+})(HttpEvents || (HttpEvents = {}));
+// Re-export for backward compatibility with subset of commonly used codes
+export const HttpStatus = {
+    OK: ProtocolHttpStatus.OK,
+    MOVED_PERMANENTLY: ProtocolHttpStatus.MOVED_PERMANENTLY,
+    FOUND: ProtocolHttpStatus.FOUND,
+    TEMPORARY_REDIRECT: ProtocolHttpStatus.TEMPORARY_REDIRECT,
+    PERMANENT_REDIRECT: ProtocolHttpStatus.PERMANENT_REDIRECT,
+    BAD_REQUEST: ProtocolHttpStatus.BAD_REQUEST,
+    UNAUTHORIZED: ProtocolHttpStatus.UNAUTHORIZED,
+    FORBIDDEN: ProtocolHttpStatus.FORBIDDEN,
+    NOT_FOUND: ProtocolHttpStatus.NOT_FOUND,
+    METHOD_NOT_ALLOWED: ProtocolHttpStatus.METHOD_NOT_ALLOWED,
+    REQUEST_TIMEOUT: ProtocolHttpStatus.REQUEST_TIMEOUT,
+    TOO_MANY_REQUESTS: ProtocolHttpStatus.TOO_MANY_REQUESTS,
+    INTERNAL_SERVER_ERROR: ProtocolHttpStatus.INTERNAL_SERVER_ERROR,
+    NOT_IMPLEMENTED: ProtocolHttpStatus.NOT_IMPLEMENTED,
+    BAD_GATEWAY: ProtocolHttpStatus.BAD_GATEWAY,
+    SERVICE_UNAVAILABLE: ProtocolHttpStatus.SERVICE_UNAVAILABLE,
+    GATEWAY_TIMEOUT: ProtocolHttpStatus.GATEWAY_TIMEOUT,
+};
+/**
+ * Base error class for HTTP-related errors
+ */
+export class HttpError extends Error {
+    constructor(message, statusCode = HttpStatus.INTERNAL_SERVER_ERROR) {
+        super(message);
+        this.statusCode = statusCode;
+        this.name = 'HttpError';
+    }
+}
+/**
+ * Error related to certificate operations
+ */
+export class CertificateError extends HttpError {
+    constructor(message, domain, isRenewal = false) {
+        super(`${message} for domain ${domain}${isRenewal ? ' (renewal)' : ''}`, HttpStatus.INTERNAL_SERVER_ERROR);
+        this.domain = domain;
+        this.isRenewal = isRenewal;
+        this.name = 'CertificateError';
+    }
+}
+/**
+ * Error related to server operations
+ */
+export class ServerError extends HttpError {
+    constructor(message, code, statusCode = HttpStatus.INTERNAL_SERVER_ERROR) {
+        super(message, statusCode);
+        this.code = code;
+        this.name = 'ServerError';
+    }
+}
+/**
+ * Error for bad requests
+ */
+export class BadRequestError extends HttpError {
+    constructor(message) {
+        super(message, HttpStatus.BAD_REQUEST);
+        this.name = 'BadRequestError';
+    }
+}
+/**
+ * Error for not found resources
+ */
+export class NotFoundError extends HttpError {
+    constructor(message = 'Resource not found') {
+        super(message, HttpStatus.NOT_FOUND);
+        this.name = 'NotFoundError';
+    }
+}
+/**
+ * Helper function to get HTTP status text
+ */
+export function getStatusText(status) {
+    return getProtocolStatusText(status);
+}
+// Backward compatibility exports
+export { HttpError as Port80HandlerError };
+export { CertificateError as CertError };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaHR0cC10eXBlcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL3JvdXRpbmcvbW9kZWxzL2h0dHAtdHlwZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUE7OztHQUdHO0FBQ0gsT0FBTyxLQUFLLE9BQU8sTUFBTSxrQkFBa0IsQ0FBQztBQUM1QyxPQUFPLEVBQUUsVUFBVSxJQUFJLGtCQUFrQixFQUFFLGFBQWEsSUFBSSxxQkFBcUIsRUFBRSxNQUFNLCtCQUErQixDQUFDO0FBRXpIOztHQUVHO0FBQ0gsTUFBTSxDQUFOLElBQVksVUFLWDtBQUxELFdBQVksVUFBVTtJQUNwQixtREFBcUMsQ0FBQTtJQUNyQyxxREFBdUMsQ0FBQTtJQUN2QyxpREFBbUMsQ0FBQTtJQUNuQyw2Q0FBK0IsQ0FBQTtBQUNqQyxDQUFDLEVBTFcsVUFBVSxLQUFWLFVBQVUsUUFLckI7QUFFRCwwRUFBMEU7QUFDMUUsTUFBTSxDQUFDLE1BQU0sVUFBVSxHQUFHO0lBQ3hCLEVBQUUsRUFBRSxrQkFBa0IsQ0FBQyxFQUFFO0lBQ3pCLGlCQUFpQixFQUFFLGtCQUFrQixDQUFDLGlCQUFpQjtJQUN2RCxLQUFLLEVBQUUsa0JBQWtCLENBQUMsS0FBSztJQUMvQixrQkFBa0IsRUFBRSxrQkFBa0IsQ0FBQyxrQkFBa0I7SUFDekQsa0JBQWtCLEVBQUUsa0JBQWtCLENBQUMsa0JBQWtCO0lBQ3pELFdBQVcsRUFBRSxrQkFBa0IsQ0FBQyxXQUFXO0lBQzNDLFlBQVksRUFBRSxrQkFBa0IsQ0FBQyxZQUFZO0lBQzdDLFNBQVMsRUFBRSxrQkFBa0IsQ0FBQyxTQUFTO0lBQ3ZDLFNBQVMsRUFBRSxrQkFBa0IsQ0FBQyxTQUFTO0lBQ3ZDLGtCQUFrQixFQUFFLGtCQUFrQixDQUFDLGtCQUFrQjtJQUN6RCxlQUFlLEVBQUUsa0JBQWtCLENBQUMsZUFBZTtJQUNuRCxpQkFBaUIsRUFBRSxrQkFBa0IsQ0FBQyxpQkFBaUI7SUFDdkQscUJBQXFCLEVBQUUsa0JBQWtCLENBQUMscUJBQXFCO0lBQy9ELGVBQWUsRUFBRSxrQkFBa0IsQ0FBQyxlQUFlO0lBQ25ELFdBQVcsRUFBRSxrQkFBa0IsQ0FBQyxXQUFXO0lBQzNDLG1CQUFtQixFQUFFLGtCQUFrQixDQUFDLG1CQUFtQjtJQUMzRCxlQUFlLEVBQUUsa0JBQWtCLENBQUMsZUFBZTtDQUMzQyxDQUFDO0FBRVg7O0dBRUc7QUFDSCxNQUFNLE9BQU8sU0FBVSxTQUFRLEtBQUs7SUFDbEMsWUFBWSxPQUFlLEVBQWtCLGFBQXFCLFVBQVUsQ0FBQyxxQkFBcUI7UUFDaEcsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBRDRCLGVBQVUsR0FBVixVQUFVLENBQTJDO1FBRWhHLElBQUksQ0FBQyxJQUFJLEdBQUcsV0FBVyxDQUFDO0lBQzFCLENBQUM7Q0FDRjtBQUVEOztHQUVHO0FBQ0gsTUFBTSxPQUFPLGdCQUFpQixTQUFRLFNBQVM7SUFDN0MsWUFDRSxPQUFlLEVBQ0MsTUFBYyxFQUNkLFlBQXFCLEtBQUs7UUFFMUMsS0FBSyxDQUFDLEdBQUcsT0FBTyxlQUFlLE1BQU0sR0FBRyxTQUFTLENBQUMsQ0FBQyxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLEVBQUUsVUFBVSxDQUFDLHFCQUFxQixDQUFDLENBQUM7UUFIM0YsV0FBTSxHQUFOLE1BQU0sQ0FBUTtRQUNkLGNBQVMsR0FBVCxTQUFTLENBQWlCO1FBRzFDLElBQUksQ0FBQyxJQUFJLEdBQUcsa0JBQWtCLENBQUM7SUFDakMsQ0FBQztDQUNGO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLE9BQU8sV0FBWSxTQUFRLFNBQVM7SUFDeEMsWUFBWSxPQUFlLEVBQWtCLElBQWEsRUFBRSxhQUFxQixVQUFVLENBQUMscUJBQXFCO1FBQy9HLEtBQUssQ0FBQyxPQUFPLEVBQUUsVUFBVSxDQUFDLENBQUM7UUFEZ0IsU0FBSSxHQUFKLElBQUksQ0FBUztRQUV4RCxJQUFJLENBQUMsSUFBSSxHQUFHLGFBQWEsQ0FBQztJQUM1QixDQUFDO0NBQ0Y7QUFFRDs7R0FFRztBQUNILE1BQU0sT0FBTyxlQUFnQixTQUFRLFNBQVM7SUFDNUMsWUFBWSxPQUFlO1FBQ3pCLEtBQUssQ0FBQyxPQUFPLEVBQUUsVUFBVSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQ3ZDLElBQUksQ0FBQyxJQUFJLEdBQUcsaUJBQWlCLENBQUM7SUFDaEMsQ0FBQztDQUNGO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLE9BQU8sYUFBYyxTQUFRLFNBQVM7SUFDMUMsWUFBWSxVQUFrQixvQkFBb0I7UUFDaEQsS0FBSyxDQUFDLE9BQU8sRUFBRSxVQUFVLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDckMsSUFBSSxDQUFDLElBQUksR0FBRyxlQUFlLENBQUM7SUFDOUIsQ0FBQztDQUNGO0FBOEJEOztHQUVHO0FBQ0gsTUFBTSxVQUFVLGFBQWEsQ0FBQyxNQUFjO0lBQzFDLE9BQU8scUJBQXFCLENBQUMsTUFBNEIsQ0FBQyxDQUFDO0FBQzdELENBQUM7QUFxQkQsaUNBQWlDO0FBQ2pDLE9BQU8sRUFBRSxTQUFTLElBQUksa0JBQWtCLEVBQUUsQ0FBQztBQUMzQyxPQUFPLEVBQUUsZ0JBQWdCLElBQUksU0FBUyxFQUFFLENBQUMifQ==

package/npmextra.json

@@ -1,5 +1,5 @@
 {
-  "gitzone": {
+  "@git.zone/cli": {
     "projectType": "npm",
     "module": {
       "githost": "code.foss.global",
@@ -26,13 +26,19 @@
         "server",
         "network security"
       ]
+    },
+    "release": {
+      "registries": [
+        "https://verdaccio.lossless.digital",
+        "https://registry.npmjs.org"
+      ],
+      "accessLevel": "public"
     }
   },
-  "npmci": {
-    "npmGlobalTools": [],
-    "npmAccessLevel": "public"
-  },
-  "tsdoc": {
+  "@git.zone/tsdoc": {
     "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH  \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
+  },
+  "@ship.zone/szci": {
+    "npmGlobalTools": []
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "21.1.7",
+  "version": "22.6.0",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
@@ -8,12 +8,19 @@
   "type": "module",
   "author": "Lossless GmbH",
   "license": "MIT",
+  "scripts": {
+    "test": "(tstest test/**/test*.ts --verbose --timeout 60 --logfile)",
+    "build": "(tsbuild tsfolders --allowimplicitany)",
+    "format": "(gitzone format)",
+    "buildDocs": "tsdoc"
+  },
   "devDependencies": {
-    "@git.zone/tsbuild": "^2.6.4",
-    "@git.zone/tsrun": "^1.2.44",
-    "@git.zone/tstest": "^2.3.1",
-    "@types/node": "^22.15.29",
-    "typescript": "^5.8.3",
+    "@git.zone/tsbuild": "^3.1.2",
+    "@git.zone/tsrun": "^2.0.0",
+    "@git.zone/tstest": "^3.1.3",
+    "@push.rocks/smartserve": "^1.4.0",
+    "@types/node": "^24.10.2",
+    "typescript": "^5.9.3",
     "why-is-node-running": "^3.2.2"
   },
   "dependencies": {
@@ -21,20 +28,20 @@
     "@push.rocks/smartacme": "^8.0.0",
     "@push.rocks/smartcrypto": "^2.0.4",
     "@push.rocks/smartdelay": "^3.0.5",
-    "@push.rocks/smartfile": "^11.2.5",
-    "@push.rocks/smartlog": "^3.1.8",
-    "@push.rocks/smartnetwork": "^4.0.2",
+    "@push.rocks/smartfile": "^13.1.0",
+    "@push.rocks/smartlog": "^3.1.10",
+    "@push.rocks/smartnetwork": "^4.4.0",
     "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartrequest": "^2.1.0",
+    "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstring": "^4.0.15",
-    "@push.rocks/taskbuffer": "^3.1.7",
-    "@tsclass/tsclass": "^9.2.0",
-    "@types/minimatch": "^5.1.2",
+    "@push.rocks/smartstring": "^4.1.0",
+    "@push.rocks/taskbuffer": "^3.5.0",
+    "@tsclass/tsclass": "^9.3.0",
+    "@types/minimatch": "^6.0.0",
     "@types/ws": "^8.18.1",
-    "minimatch": "^10.0.1",
-    "pretty-ms": "^9.2.0",
-    "ws": "^8.18.2"
+    "minimatch": "^10.1.1",
+    "pretty-ms": "^9.3.0",
+    "ws": "^8.18.3"
   },
   "files": [
     "ts/**/*",
@@ -77,10 +84,13 @@
   "bugs": {
     "url": "https://code.foss.global/push.rocks/smartproxy/issues"
   },
-  "scripts": {
-    "test": "(tstest test/**/test*.ts --verbose --timeout 60 --logfile)",
-    "build": "(tsbuild tsfolders --allowimplicitany)",
-    "format": "(gitzone format)",
-    "buildDocs": "tsdoc"
-  }
-}
+  "pnpm": {
+    "overrides": {},
+    "onlyBuiltDependencies": [
+      "esbuild",
+      "mongodb-memory-server",
+      "puppeteer"
+    ]
+  },
+  "packageManager": "pnpm@10.10.0+sha512.d615db246fe70f25dcfea6d8d73dee782ce23e2245e3c4f6f888249fb568149318637dca73c2c5c8ef2a4ca0d5657fb9567188bfab47f566d1ee6ce987815c39"
+}

package/readme.hints.md

@@ -345,4 +345,187 @@ new SmartProxy({
 1. Implement proper certificate expiry date extraction using X.509 parsing
 2. Add support for returning expiry date with custom certificates
 3. Consider adding validation for custom certificate format
-4. Add events/hooks for certificate provisioning lifecycle
+4. Add events/hooks for certificate provisioning lifecycle
+
+## HTTPS/TLS Configuration Guide
+
+SmartProxy supports three TLS modes for handling HTTPS traffic. Understanding when to use each mode is crucial for correct configuration.
+
+### TLS Mode: Passthrough (SNI Routing)
+
+**When to use**: Backend server handles its own TLS certificates.
+
+**How it works**:
+1. Client connects with TLS ClientHello containing SNI (Server Name Indication)
+2. SmartProxy extracts the SNI hostname without decrypting
+3. Connection is forwarded to backend as-is (still encrypted)
+4. Backend server terminates TLS with its own certificate
+
+**Configuration**:
+```typescript
+{
+  match: { ports: 443, domains: 'backend.example.com' },
+  action: {
+    type: 'forward',
+    targets: [{ host: 'backend-server', port: 443 }],
+    tls: { mode: 'passthrough' }
+  }
+}
+```
+
+**Requirements**:
+- Backend must have valid TLS certificate for the domain
+- Client's SNI must be present (session tickets without SNI will be rejected)
+- No HTTP-level inspection possible (encrypted end-to-end)
+
+### TLS Mode: Terminate
+
+**When to use**: SmartProxy handles TLS, backend receives plain HTTP.
+
+**How it works**:
+1. Client connects with TLS ClientHello
+2. SmartProxy terminates TLS (decrypts traffic)
+3. Decrypted HTTP is forwarded to backend on plain HTTP port
+4. Backend receives unencrypted traffic
+
+**Configuration**:
+```typescript
+{
+  match: { ports: 443, domains: 'api.example.com' },
+  action: {
+    type: 'forward',
+    targets: [{ host: 'localhost', port: 8080 }],  // HTTP backend
+    tls: {
+      mode: 'terminate',
+      certificate: 'auto'  // Let's Encrypt, or provide { key, cert }
+    }
+  }
+}
+```
+
+**Requirements**:
+- ACME email configured for auto certificates: `acme: { email: 'admin@example.com' }`
+- Port 80 available for HTTP-01 challenges (or use DNS-01)
+- Backend accessible on HTTP port
+
+### TLS Mode: Terminate and Re-encrypt
+
+**When to use**: SmartProxy handles client TLS, but backend also requires TLS.
+
+**How it works**:
+1. Client connects with TLS ClientHello
+2. SmartProxy terminates client TLS (decrypts)
+3. SmartProxy creates new TLS connection to backend
+4. Traffic is re-encrypted for the backend connection
+
+**Configuration**:
+```typescript
+{
+  match: { ports: 443, domains: 'secure.example.com' },
+  action: {
+    type: 'forward',
+    targets: [{ host: 'backend-tls', port: 443 }],  // HTTPS backend
+    tls: {
+      mode: 'terminate-and-reencrypt',
+      certificate: 'auto'
+    }
+  }
+}
+```
+
+**Requirements**:
+- Same as 'terminate' mode
+- Backend must have valid TLS (can be self-signed for internal use)
+
+### HttpProxy Integration
+
+For TLS termination modes (`terminate` and `terminate-and-reencrypt`), SmartProxy uses an internal HttpProxy component:
+
+- HttpProxy listens on an internal port (default: 8443)
+- SmartProxy forwards TLS connections to HttpProxy for termination
+- Client IP is preserved via `CLIENT_IP:` header protocol
+- HTTP/2 and WebSocket are supported after TLS termination
+
+**Configuration**:
+```typescript
+{
+  useHttpProxy: [443],        // Ports that use HttpProxy for TLS termination
+  httpProxyPort: 8443,        // Internal HttpProxy port
+  acme: {
+    email: 'admin@example.com',
+    useProduction: true       // false for Let's Encrypt staging
+  }
+}
+```
+
+### Common Configuration Patterns
+
+**HTTP to HTTPS Redirect**:
+```typescript
+import { createHttpToHttpsRedirect } from '@push.rocks/smartproxy';
+
+const redirectRoute = createHttpToHttpsRedirect(['example.com', 'www.example.com']);
+```
+
+**Complete HTTPS Server (with redirect)**:
+```typescript
+import { createCompleteHttpsServer } from '@push.rocks/smartproxy';
+
+const routes = createCompleteHttpsServer(
+  'example.com',
+  { host: 'localhost', port: 8080 },
+  { certificate: 'auto' }
+);
+```
+
+**Load Balancer with Health Checks**:
+```typescript
+import { createLoadBalancerRoute } from '@push.rocks/smartproxy';
+
+const lbRoute = createLoadBalancerRoute(
+  'api.example.com',
+  [
+    { host: 'backend1', port: 8080 },
+    { host: 'backend2', port: 8080 },
+    { host: 'backend3', port: 8080 }
+  ],
+  { tls: { mode: 'terminate', certificate: 'auto' } }
+);
+```
+
+### Smart SNI Requirement (v22.3+)
+
+SmartProxy automatically determines when SNI is required for routing. Session tickets (TLS resumption without SNI) are now allowed in more scenarios:
+
+**SNI NOT required (session tickets allowed):**
+- Single passthrough route with static target(s) and no domain restriction
+- Single passthrough route with wildcard-only domain (`*` or `['*']`)
+- TLS termination routes (`terminate` or `terminate-and-reencrypt`)
+- Mixed terminate + passthrough routes (termination takes precedence)
+
+**SNI IS required (session tickets blocked):**
+- Multiple passthrough routes on the same port (need SNI to pick correct route)
+- Route has dynamic host function (e.g., `host: (ctx) => ctx.domain === 'api.example.com' ? 'api-backend' : 'web-backend'`)
+- Route has specific domain restriction (e.g., `domains: 'api.example.com'` or `domains: '*.example.com'`)
+
+This allows simple single-target passthrough setups to work with TLS session resumption, improving performance for clients that reuse connections.
+
+### Troubleshooting
+
+**"No SNI detected" errors**:
+- Client is using TLS session resumption without SNI
+- Solution: Configure route for TLS termination (allows session resumption), or ensure you have a single-target passthrough route with no domain restrictions
+
+**"HttpProxy not available" errors**:
+- `useHttpProxy` not configured for the port
+- Solution: Add port to `useHttpProxy` array in settings
+
+**Certificate provisioning failures**:
+- Port 80 not accessible for HTTP-01 challenges
+- ACME email not configured
+- Solution: Ensure port 80 is available and `acme.email` is set
+
+**Connection timeouts to HttpProxy**:
+- CLIENT_IP header parsing timeout (default: 2000ms)
+- Network congestion between SmartProxy and HttpProxy
+- Solution: Check localhost connectivity, increase timeout if needed