@push.rocks/smartproxy 21.1.7 → 22.6.0

package/ts/proxies/smart-proxy/route-connection-handler.ts

@@ -1,1640 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
-import { logger } from '../../core/utils/logger.js';
-import { connectionLogDeduplicator } from '../../core/utils/log-deduplicator.js';
-// Route checking functions have been removed
-import type { IRouteConfig, IRouteAction, IRouteTarget } from './models/route-types.js';
-import type { IRouteContext } from '../../core/models/route-context.js';
-import { cleanupSocket, setupSocketHandlers, createSocketWithErrorHandler, setupBidirectionalForwarding } from '../../core/utils/socket-utils.js';
-import { WrappedSocket } from '../../core/models/wrapped-socket.js';
-import { getUnderlyingSocket } from '../../core/models/socket-types.js';
-import { ProxyProtocolParser } from '../../core/utils/proxy-protocol.js';
-import type { SmartProxy } from './smart-proxy.js';
-import { ProtocolDetector } from '../../detection/index.js';
-
-/**
- * Handles new connection processing and setup logic with support for route-based configuration
- */
-export class RouteConnectionHandler {
-  // Note: Route context caching was considered but not implemented
-  // as route contexts are lightweight and should be created fresh
-  // for each connection to ensure accurate context data
-  
-  // RxJS Subject for new connections
-  public newConnectionSubject = new plugins.smartrx.rxjs.Subject<IConnectionRecord>();
-
-  constructor(
-    private smartProxy: SmartProxy
-  ) {}
-  
-
-  /**
-   * Create a route context object for port and host mapping functions
-   */
-  private createRouteContext(options: {
-    connectionId: string;
-    port: number;
-    domain?: string;
-    clientIp: string;
-    serverIp: string;
-    isTls: boolean;
-    tlsVersion?: string;
-    routeName?: string;
-    routeId?: string;
-    path?: string;
-    query?: string;
-    headers?: Record<string, string>;
-  }): IRouteContext {
-    return {
-      // Connection information
-      port: options.port,
-      domain: options.domain,
-      clientIp: options.clientIp,
-      serverIp: options.serverIp,
-      path: options.path,
-      query: options.query,
-      headers: options.headers,
-
-      // TLS information
-      isTls: options.isTls,
-      tlsVersion: options.tlsVersion,
-
-      // Route information
-      routeName: options.routeName,
-      routeId: options.routeId,
-
-      // Additional properties
-      timestamp: Date.now(),
-      connectionId: options.connectionId,
-    };
-  }
-
-  /**
-   * Handle a new incoming connection
-   */
-  public handleConnection(socket: plugins.net.Socket): void {
-    const remoteIP = socket.remoteAddress || '';
-    const localPort = socket.localPort || 0;
-
-    // Always wrap the socket to prepare for potential PROXY protocol
-    const wrappedSocket = new WrappedSocket(socket);
-    
-    // If this is from a trusted proxy, log it
-    if (this.smartProxy.settings.proxyIPs?.includes(remoteIP)) {
-      logger.log('debug', `Connection from trusted proxy ${remoteIP}, PROXY protocol parsing will be enabled`, {
-        remoteIP,
-        component: 'route-handler'
-      });
-    }
-
-    // Validate IP against rate limits and connection limits
-    // Note: For wrapped sockets, this will use the underlying socket IP until PROXY protocol is parsed
-    const ipValidation = this.smartProxy.securityManager.validateIP(wrappedSocket.remoteAddress || '');
-    if (!ipValidation.allowed) {
-      connectionLogDeduplicator.log(
-        'ip-rejected',
-        'warn',
-        `Connection rejected from ${wrappedSocket.remoteAddress}`,
-        { remoteIP: wrappedSocket.remoteAddress, reason: ipValidation.reason, component: 'route-handler' },
-        wrappedSocket.remoteAddress
-      );
-      cleanupSocket(wrappedSocket.socket, `rejected-${ipValidation.reason}`, { immediate: true });
-      return;
-    }
-
-    // Create a new connection record with the wrapped socket
-    const record = this.smartProxy.connectionManager.createConnection(wrappedSocket);
-    if (!record) {
-      // Connection was rejected due to limit - socket already destroyed by connection manager
-      return;
-    }
-    
-    // Emit new connection event
-    this.newConnectionSubject.next(record);
-    const connectionId = record.id;
-
-    // Apply socket optimizations (apply to underlying socket)
-    const underlyingSocket = wrappedSocket.socket;
-    underlyingSocket.setNoDelay(this.smartProxy.settings.noDelay);
-
-    // Apply keep-alive settings if enabled
-    if (this.smartProxy.settings.keepAlive) {
-      underlyingSocket.setKeepAlive(true, this.smartProxy.settings.keepAliveInitialDelay);
-      record.hasKeepAlive = true;
-
-      // Apply enhanced TCP keep-alive options if enabled
-      if (this.smartProxy.settings.enableKeepAliveProbes) {
-        try {
-          // These are platform-specific and may not be available
-          if ('setKeepAliveProbes' in underlyingSocket) {
-            (underlyingSocket as any).setKeepAliveProbes(10);
-          }
-          if ('setKeepAliveInterval' in underlyingSocket) {
-            (underlyingSocket as any).setKeepAliveInterval(1000);
-          }
-        } catch (err) {
-          // Ignore errors - these are optional enhancements
-          if (this.smartProxy.settings.enableDetailedLogging) {
-            logger.log('warn', `Enhanced TCP keep-alive settings not supported`, { connectionId, error: err, component: 'route-handler' });
-          }
-        }
-      }
-    }
-
-    if (this.smartProxy.settings.enableDetailedLogging) {
-      logger.log('info', 
-        `New connection from ${remoteIP} on port ${localPort}. ` +
-        `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` +
-        `Active connections: ${this.smartProxy.connectionManager.getConnectionCount()}`, 
-        {
-          connectionId,
-          remoteIP,
-          localPort,
-          keepAlive: record.hasKeepAlive ? 'Enabled' : 'Disabled',
-          activeConnections: this.smartProxy.connectionManager.getConnectionCount(),
-          component: 'route-handler'
-        }
-      );
-    } else {
-      logger.log('info', 
-        `New connection from ${remoteIP} on port ${localPort}. Active connections: ${this.smartProxy.connectionManager.getConnectionCount()}`, 
-        {
-          remoteIP,
-          localPort,
-          activeConnections: this.smartProxy.connectionManager.getConnectionCount(),
-          component: 'route-handler'
-        }
-      );
-    }
-
-    // Handle the connection - wait for initial data to determine if it's TLS
-    this.handleInitialData(wrappedSocket, record);
-  }
-
-  /**
-   * Handle initial data from a connection to determine routing
-   */
-  private handleInitialData(socket: plugins.net.Socket | WrappedSocket, record: IConnectionRecord): void {
-    const connectionId = record.id;
-    const localPort = record.localPort;
-    let initialDataReceived = false;
-
-    // Check if any routes on this port require TLS handling
-    const allRoutes = this.smartProxy.routeManager.getRoutes();
-    const needsTlsHandling = allRoutes.some(route => {
-      // Check if route matches this port
-      const matchesPort = this.smartProxy.routeManager.getRoutesForPort(localPort).includes(route);
-      
-      return matchesPort && 
-             route.action.type === 'forward' && 
-             route.action.tls && 
-             (route.action.tls.mode === 'terminate' || 
-              route.action.tls.mode === 'passthrough');
-    });
-
-    // If no routes require TLS handling and it's not port 443, route immediately
-    if (!needsTlsHandling && localPort !== 443) {
-      // Extract underlying socket for socket-utils functions
-      const underlyingSocket = getUnderlyingSocket(socket);
-      // Set up proper socket handlers for immediate routing
-      setupSocketHandlers(
-        underlyingSocket,
-        (reason) => {
-          // Always cleanup when incoming socket closes
-          // This prevents connection accumulation in proxy chains
-          logger.log('debug', `Connection ${connectionId} closed during immediate routing: ${reason}`, {
-            connectionId,
-            remoteIP: record.remoteIP,
-            reason,
-            hasOutgoing: !!record.outgoing,
-            outgoingState: record.outgoing?.readyState,
-            component: 'route-handler'
-          });
-          
-          // If there's a pending or established outgoing connection, destroy it
-          if (record.outgoing && !record.outgoing.destroyed) {
-            logger.log('debug', `Destroying outgoing connection for ${connectionId}`, {
-              connectionId,
-              outgoingState: record.outgoing.readyState,
-              component: 'route-handler'
-            });
-            record.outgoing.destroy();
-          }
-          
-          // Always cleanup the connection record
-          this.smartProxy.connectionManager.cleanupConnection(record, reason);
-        },
-        undefined, // Use default timeout handler
-        'immediate-route-client'
-      );
-      
-      // Route immediately for non-TLS connections
-      this.routeConnection(socket, record, '', undefined);
-      return;
-    }
-
-    // Otherwise, wait for initial data to check if it's TLS
-    // Set an initial timeout for handshake data
-    let initialTimeout: NodeJS.Timeout | null = setTimeout(() => {
-      if (!initialDataReceived) {
-        logger.log('warn', `No initial data received from ${record.remoteIP} after ${this.smartProxy.settings.initialDataTimeout}ms for connection ${connectionId}`, {
-          connectionId,
-          timeout: this.smartProxy.settings.initialDataTimeout,
-          remoteIP: record.remoteIP,
-          component: 'route-handler'
-        });
-
-        // Add a grace period
-        setTimeout(() => {
-          if (!initialDataReceived) {
-            logger.log('warn', `Final initial data timeout after grace period for connection ${connectionId}`, {
-              connectionId,
-              component: 'route-handler'
-            });
-            if (record.incomingTerminationReason === null) {
-              record.incomingTerminationReason = 'initial_timeout';
-              this.smartProxy.connectionManager.incrementTerminationStat('incoming', 'initial_timeout');
-            }
-            socket.end();
-            this.smartProxy.connectionManager.cleanupConnection(record, 'initial_timeout');
-          }
-        }, 30000);
-      }
-    }, this.smartProxy.settings.initialDataTimeout!);
-
-    // Make sure timeout doesn't keep the process alive
-    if (initialTimeout.unref) {
-      initialTimeout.unref();
-    }
-
-    // Set up error handler
-    socket.on('error', this.smartProxy.connectionManager.handleError('incoming', record));
-
-    // Add close/end handlers to catch immediate disconnections
-    socket.once('close', () => {
-      if (!initialDataReceived) {
-        logger.log('warn', `Connection ${connectionId} closed before sending initial data`, {
-          connectionId,
-          remoteIP: record.remoteIP,
-          component: 'route-handler'
-        });
-        if (initialTimeout) {
-          clearTimeout(initialTimeout);
-          initialTimeout = null;
-        }
-        this.smartProxy.connectionManager.cleanupConnection(record, 'closed_before_data');
-      }
-    });
-
-    socket.once('end', () => {
-      if (!initialDataReceived) {
-        logger.log('debug', `Connection ${connectionId} ended before sending initial data`, {
-          connectionId,
-          remoteIP: record.remoteIP,
-          component: 'route-handler'
-        });
-        if (initialTimeout) {
-          clearTimeout(initialTimeout);
-          initialTimeout = null;
-        }
-        // Don't cleanup on 'end' - wait for 'close'
-      }
-    });
-
-    // Handler for processing initial data (after potential PROXY protocol)
-    const processInitialData = async (chunk: Buffer) => {
-      // Create connection context for protocol detection
-      const context = ProtocolDetector.createConnectionContext({
-        sourceIp: record.remoteIP,
-        sourcePort: socket.remotePort || 0,
-        destIp: socket.localAddress || '',
-        destPort: socket.localPort || 0,
-        socketId: record.id
-      });
-      
-      const detectionResult = await ProtocolDetector.detectWithContext(
-        chunk,
-        context,
-        { extractFullHeaders: false } // Only extract essential info for routing
-      );
-      
-      // Block non-TLS connections on port 443
-      if (localPort === 443 && detectionResult.protocol !== 'tls') {
-        logger.log('warn', `Non-TLS connection ${record.id} detected on port 443. Terminating connection - only TLS traffic is allowed on standard HTTPS port.`, {
-          connectionId: record.id,
-          detectedProtocol: detectionResult.protocol,
-          message: 'Terminating connection - only TLS traffic is allowed on standard HTTPS port.',
-          component: 'route-handler'
-        });
-        if (record.incomingTerminationReason === null) {
-          record.incomingTerminationReason = 'non_tls_blocked';
-          this.smartProxy.connectionManager.incrementTerminationStat('incoming', 'non_tls_blocked');
-        }
-        socket.end();
-        this.smartProxy.connectionManager.cleanupConnection(record, 'non_tls_blocked');
-        return;
-      }
-
-      // Extract domain and protocol info
-      let serverName = '';
-      if (detectionResult.protocol === 'tls') {
-        record.isTLS = true;
-        serverName = detectionResult.connectionInfo.domain || '';
-        
-        // Lock the connection to the negotiated SNI
-        record.lockedDomain = serverName;
-
-        // Check if we should reject connections without SNI
-        if (!serverName && this.smartProxy.settings.allowSessionTicket === false) {
-          logger.log('warn', `No SNI detected in TLS ClientHello for connection ${record.id}; sending TLS alert`, {
-            connectionId: record.id,
-            component: 'route-handler'
-          });
-          if (record.incomingTerminationReason === null) {
-            record.incomingTerminationReason = 'session_ticket_blocked_no_sni';
-            this.smartProxy.connectionManager.incrementTerminationStat(
-              'incoming',
-              'session_ticket_blocked_no_sni'
-            );
-          }
-          const alert = Buffer.from([0x15, 0x03, 0x03, 0x00, 0x02, 0x01, 0x70]);
-          try {
-            // Count the alert bytes being sent
-            record.bytesSent += alert.length;
-            if (this.smartProxy.metricsCollector) {
-              this.smartProxy.metricsCollector.recordBytes(record.id, 0, alert.length);
-            }
-            
-            socket.cork();
-            socket.write(alert);
-            socket.uncork();
-            socket.end();
-          } catch {
-            socket.end();
-          }
-          this.smartProxy.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
-          return;
-        }
-
-        if (this.smartProxy.settings.enableDetailedLogging) {
-          logger.log('info', `TLS connection with SNI`, {
-            connectionId: record.id,
-            serverName: serverName || '(empty)',
-            component: 'route-handler'
-          });
-        }
-      } else if (detectionResult.protocol === 'http') {
-        // For HTTP, extract domain from Host header
-        serverName = detectionResult.connectionInfo.domain || '';
-        
-        // Store HTTP-specific info for later use
-        record.httpInfo = {
-          method: detectionResult.connectionInfo.method,
-          path: detectionResult.connectionInfo.path,
-          headers: detectionResult.connectionInfo.headers
-        };
-        
-        if (this.smartProxy.settings.enableDetailedLogging) {
-          logger.log('info', `HTTP connection detected`, {
-            connectionId: record.id,
-            domain: serverName || '(no host header)',
-            method: detectionResult.connectionInfo.method,
-            path: detectionResult.connectionInfo.path,
-            component: 'route-handler'
-          });
-        }
-      }
-
-      // Find the appropriate route for this connection
-      this.routeConnection(socket, record, serverName, chunk, detectionResult);
-    };
-
-    // First data handler to capture initial TLS handshake or PROXY protocol
-    socket.once('data', async (chunk: Buffer) => {
-      // Clear the initial timeout since we've received data
-      if (initialTimeout) {
-        clearTimeout(initialTimeout);
-        initialTimeout = null;
-      }
-
-      initialDataReceived = true;
-      record.hasReceivedInitialData = true;
-
-      // Check if this is from a trusted proxy and might have PROXY protocol
-      if (this.smartProxy.settings.proxyIPs?.includes(socket.remoteAddress || '') && this.smartProxy.settings.acceptProxyProtocol !== false) {
-        // Check if this starts with PROXY protocol
-        if (chunk.toString('ascii', 0, Math.min(6, chunk.length)).startsWith('PROXY ')) {
-          try {
-            const parseResult = ProxyProtocolParser.parse(chunk);
-            
-            if (parseResult.proxyInfo) {
-              // Update the wrapped socket with real client info (if it's a WrappedSocket)
-              if (socket instanceof WrappedSocket) {
-                socket.setProxyInfo(parseResult.proxyInfo.sourceIP, parseResult.proxyInfo.sourcePort);
-              }
-              
-              // Update connection record with real client info
-              record.remoteIP = parseResult.proxyInfo.sourceIP;
-              record.remotePort = parseResult.proxyInfo.sourcePort;
-              
-              logger.log('info', `PROXY protocol parsed successfully`, {
-                connectionId,
-                realClientIP: parseResult.proxyInfo.sourceIP,
-                realClientPort: parseResult.proxyInfo.sourcePort,
-                proxyIP: socket.remoteAddress,
-                component: 'route-handler'
-              });
-              
-              // Process remaining data if any
-              if (parseResult.remainingData.length > 0) {
-                processInitialData(parseResult.remainingData);
-              } else {
-                // Wait for more data
-                socket.once('data', processInitialData);
-              }
-              return;
-            }
-          } catch (error) {
-            logger.log('error', `Failed to parse PROXY protocol from trusted proxy`, {
-              connectionId,
-              error: error.message,
-              proxyIP: socket.remoteAddress,
-              component: 'route-handler'
-            });
-            // Continue processing as normal data
-          }
-        }
-      }
-
-      // Process as normal data (no PROXY protocol)
-      processInitialData(chunk);
-    });
-  }
-
-  /**
-   * Route the connection based on match criteria
-   */
-  private routeConnection(
-    socket: plugins.net.Socket | WrappedSocket,
-    record: IConnectionRecord,
-    serverName: string,
-    initialChunk?: Buffer,
-    detectionResult?: any // Using any temporarily to avoid circular dependency issues
-  ): void {
-    const connectionId = record.id;
-    const localPort = record.localPort;
-    const remoteIP = record.remoteIP;
-
-    // Check if this is an HTTP proxy port
-    const isHttpProxyPort = this.smartProxy.settings.useHttpProxy?.includes(localPort);
-    
-    // For HTTP proxy ports without TLS, skip domain check since domain info comes from HTTP headers
-    const skipDomainCheck = isHttpProxyPort && !record.isTLS;
-
-    // Create route context for matching
-    const routeContext: IRouteContext = {
-      port: localPort,
-      domain: skipDomainCheck ? undefined : serverName, // Skip domain if HTTP proxy without TLS
-      clientIp: remoteIP,
-      serverIp: socket.localAddress || '',
-      path: undefined, // We don't have path info at this point
-      isTls: record.isTLS,
-      tlsVersion: undefined, // We don't extract TLS version yet
-      timestamp: Date.now(),
-      connectionId: record.id
-    };
-
-    // Find matching route
-    const routeMatch = this.smartProxy.routeManager.findMatchingRoute(routeContext);
-
-    if (!routeMatch) {
-      logger.log('warn', `No route found for ${serverName || 'connection'} on port ${localPort} (connection: ${connectionId})`, {
-        connectionId,
-        serverName: serverName || 'connection',
-        localPort,
-        component: 'route-handler'
-      });
-
-      // No matching route, use default/fallback handling
-      logger.log('info', `Using default route handling for connection ${connectionId}`, {
-        connectionId,
-        component: 'route-handler'
-      });
-
-      // Check default security settings
-      const defaultSecuritySettings = this.smartProxy.settings.defaults?.security;
-      if (defaultSecuritySettings) {
-        if (defaultSecuritySettings.ipAllowList && defaultSecuritySettings.ipAllowList.length > 0) {
-          const isAllowed = this.smartProxy.securityManager.isIPAuthorized(
-            remoteIP,
-            defaultSecuritySettings.ipAllowList,
-            defaultSecuritySettings.ipBlockList || []
-          );
-
-          if (!isAllowed) {
-            logger.log('warn', `IP ${remoteIP} not in default allowed list for connection ${connectionId}`, {
-              connectionId,
-              remoteIP,
-              component: 'route-handler'
-            });
-            socket.end();
-            this.smartProxy.connectionManager.cleanupConnection(record, 'ip_blocked');
-            return;
-          }
-        }
-      }
-
-      // Setup direct connection with default settings
-      if (this.smartProxy.settings.defaults?.target) {
-        // Use defaults from configuration
-        const targetHost = this.smartProxy.settings.defaults.target.host;
-        const targetPort = this.smartProxy.settings.defaults.target.port;
-
-        return this.setupDirectConnection(
-          socket,
-          record,
-          serverName,
-          initialChunk,
-          undefined,
-          targetHost,
-          targetPort
-        );
-      } else {
-        // No default target available, terminate the connection
-        logger.log('warn', `No default target configured for connection ${connectionId}. Closing connection`, {
-          connectionId,
-          component: 'route-handler'
-        });
-        socket.end();
-        this.smartProxy.connectionManager.cleanupConnection(record, 'no_default_target');
-        return;
-      }
-    }
-
-    // A matching route was found
-    const route = routeMatch.route;
-
-    if (this.smartProxy.settings.enableDetailedLogging) {
-      logger.log('info', `Route matched`, {
-        connectionId,
-        routeName: route.name || 'unnamed',
-        serverName: serverName || 'connection',
-        localPort,
-        component: 'route-handler'
-      });
-    }
-
-    // Apply route-specific security checks
-    if (route.security) {
-      // Check IP allow/block lists
-      if (route.security.ipAllowList || route.security.ipBlockList) {
-        const isIPAllowed = this.smartProxy.securityManager.isIPAuthorized(
-          remoteIP,
-          route.security.ipAllowList || [],
-          route.security.ipBlockList || []
-        );
-
-        if (!isIPAllowed) {
-          // Deduplicated logging for route IP blocks
-          connectionLogDeduplicator.log(
-            'ip-rejected',
-            'warn',
-            `IP blocked by route security`,
-            {
-              connectionId,
-              remoteIP,
-              routeName: route.name || 'unnamed',
-              reason: 'route-ip-blocked',
-              component: 'route-handler'
-            },
-            remoteIP
-          );
-          socket.end();
-          this.smartProxy.connectionManager.cleanupConnection(record, 'route_ip_blocked');
-          return;
-        }
-      }
-
-      // Check max connections per route
-      if (route.security.maxConnections !== undefined) {
-        const routeId = route.id || route.name || 'unnamed';
-        const currentConnections = this.smartProxy.connectionManager.getConnectionCountByRoute(routeId);
-        
-        if (currentConnections >= route.security.maxConnections) {
-          // Deduplicated logging for route connection limits
-          connectionLogDeduplicator.log(
-            'connection-rejected',
-            'warn',
-            `Route connection limit reached`,
-            {
-              connectionId,
-              routeName: route.name,
-              currentConnections,
-              maxConnections: route.security.maxConnections,
-              reason: 'route-limit',
-              component: 'route-handler'
-            },
-            `route-limit-${route.name}`
-          );
-          socket.end();
-          this.smartProxy.connectionManager.cleanupConnection(record, 'route_connection_limit');
-          return;
-        }
-      }
-
-      // Check authentication requirements
-      if (route.security.authentication || route.security.basicAuth || route.security.jwtAuth) {
-        // Authentication checks would typically happen at the HTTP layer
-        // For non-HTTP connections or passthrough, we can't enforce authentication
-        if (route.action.type === 'forward' && route.action.tls?.mode !== 'terminate') {
-          logger.log('warn', `Route ${route.name} has authentication configured but it cannot be enforced for non-terminated connections`, {
-            connectionId,
-            routeName: route.name,
-            tlsMode: route.action.tls?.mode || 'none',
-            component: 'route-handler'
-          });
-        }
-      }
-    }
-
-    // Handle the route based on its action type
-    switch (route.action.type) {
-      case 'forward':
-        return this.handleForwardAction(socket, record, route, initialChunk, detectionResult);
-
-      case 'socket-handler':
-        logger.log('info', `Handling socket-handler action for route ${route.name}`, {
-          connectionId,
-          routeName: route.name,
-          component: 'route-handler'
-        });
-        this.handleSocketHandlerAction(socket, record, route, initialChunk);
-        return;
-
-      default:
-        logger.log('error', `Unknown action type '${(route.action as any).type}' for connection ${connectionId}`, {
-          connectionId,
-          actionType: (route.action as any).type,
-          component: 'route-handler'
-        });
-        socket.end();
-        this.smartProxy.connectionManager.cleanupConnection(record, 'unknown_action');
-    }
-  }
-
-  /**
-   * Select the appropriate target from the targets array based on sub-matching criteria
-   */
-  private selectTarget(
-    targets: IRouteTarget[],
-    context: {
-      port: number;
-      path?: string;
-      headers?: Record<string, string>;
-      method?: string;
-    }
-  ): IRouteTarget | null {
-    // Sort targets by priority (higher first)
-    const sortedTargets = [...targets].sort((a, b) => (b.priority || 0) - (a.priority || 0));
-    
-    // Find the first matching target
-    for (const target of sortedTargets) {
-      if (!target.match) {
-        // No match criteria means this is a default/fallback target
-        return target;
-      }
-      
-      // Check port match
-      if (target.match.ports && !target.match.ports.includes(context.port)) {
-        continue;
-      }
-      
-      // Check path match (supports wildcards)
-      if (target.match.path && context.path) {
-        const pathPattern = target.match.path.replace(/\*/g, '.*');
-        const pathRegex = new RegExp(`^${pathPattern}$`);
-        if (!pathRegex.test(context.path)) {
-          continue;
-        }
-      }
-      
-      // Check method match
-      if (target.match.method && context.method && !target.match.method.includes(context.method)) {
-        continue;
-      }
-      
-      // Check headers match
-      if (target.match.headers && context.headers) {
-        let headersMatch = true;
-        for (const [key, pattern] of Object.entries(target.match.headers)) {
-          const headerValue = context.headers[key.toLowerCase()];
-          if (!headerValue) {
-            headersMatch = false;
-            break;
-          }
-          
-          if (pattern instanceof RegExp) {
-            if (!pattern.test(headerValue)) {
-              headersMatch = false;
-              break;
-            }
-          } else if (headerValue !== pattern) {
-            headersMatch = false;
-            break;
-          }
-        }
-        if (!headersMatch) {
-          continue;
-        }
-      }
-      
-      // All criteria matched
-      return target;
-    }
-    
-    // No matching target found, return the first target without match criteria (default)
-    return sortedTargets.find(t => !t.match) || null;
-  }
-
-  /**
-   * Handle a forward action for a route
-   */
-  private handleForwardAction(
-    socket: plugins.net.Socket | WrappedSocket,
-    record: IConnectionRecord,
-    route: IRouteConfig,
-    initialChunk?: Buffer,
-    detectionResult?: any // Using any temporarily to avoid circular dependency issues
-  ): void {
-    const connectionId = record.id;
-    const action = route.action as IRouteAction;
-    
-    // Store the route config in the connection record for metrics and other uses
-    record.routeConfig = route;
-    record.routeId = route.id || route.name || 'unnamed';
-    
-    // Track connection by route
-    this.smartProxy.connectionManager.trackConnectionByRoute(record.routeId, record.id);
-
-    // Check if this route uses NFTables for forwarding
-    if (action.forwardingEngine === 'nftables') {
-      // NFTables handles packet forwarding at the kernel level
-      // The application should NOT interfere with these connections
-      
-      // Log the connection for monitoring purposes
-      if (this.smartProxy.settings.enableDetailedLogging) {
-        logger.log('info', `NFTables forwarding (kernel-level)`, {
-          connectionId: record.id,
-          source: `${record.remoteIP}:${socket.remotePort}`,
-          destination: `${socket.localAddress}:${record.localPort}`,
-          routeName: route.name || 'unnamed',
-          domain: record.lockedDomain || 'n/a',
-          component: 'route-handler'
-        });
-      } else {
-        logger.log('info', `NFTables forwarding`, {
-          connectionId: record.id,
-          remoteIP: record.remoteIP,
-          localPort: record.localPort,
-          routeName: route.name || 'unnamed',
-          component: 'route-handler'
-        });
-      }
-
-      // Additional NFTables-specific logging if configured
-      if (action.nftables) {
-        const nftConfig = action.nftables;
-        if (this.smartProxy.settings.enableDetailedLogging) {
-          logger.log('info', `NFTables config`, {
-            connectionId: record.id,
-            protocol: nftConfig.protocol || 'tcp',
-            preserveSourceIP: nftConfig.preserveSourceIP || false,
-            priority: nftConfig.priority || 'default',
-            maxRate: nftConfig.maxRate || 'unlimited',
-            component: 'route-handler'
-          });
-        }
-      }
-      
-      // For NFTables routes, we should still track the connection but not interfere
-      // Mark the connection as using network proxy so it's cleaned up properly
-      record.usingNetworkProxy = true;
-      
-      // We don't close the socket - just let it remain open
-      // The kernel-level NFTables rules will handle the actual forwarding
-      
-      // Set up cleanup when the socket eventually closes
-      socket.once('close', () => {
-        this.smartProxy.connectionManager.cleanupConnection(record, 'nftables_closed');
-      });
-      
-      return;
-    }
-
-    // Select the appropriate target from the targets array
-    if (!action.targets || action.targets.length === 0) {
-      logger.log('error', `Forward action missing targets configuration for connection ${connectionId}`, {
-        connectionId,
-        component: 'route-handler'
-      });
-      socket.end();
-      this.smartProxy.connectionManager.cleanupConnection(record, 'missing_targets');
-      return;
-    }
-    
-    // Create context for target selection
-    const targetSelectionContext = {
-      port: record.localPort,
-      path: record.httpInfo?.path,
-      headers: record.httpInfo?.headers,
-      method: record.httpInfo?.method
-    };
-    
-    const selectedTarget = this.selectTarget(action.targets, targetSelectionContext);
-    if (!selectedTarget) {
-      logger.log('error', `No matching target found for connection ${connectionId}`, {
-        connectionId,
-        port: targetSelectionContext.port,
-        component: 'route-handler'
-      });
-      socket.end();
-      this.smartProxy.connectionManager.cleanupConnection(record, 'no_matching_target');
-      return;
-    }
-
-    // Create the routing context for this connection
-    const routeContext = this.createRouteContext({
-      connectionId: record.id,
-      port: record.localPort,
-      domain: record.lockedDomain,
-      clientIp: record.remoteIP,
-      serverIp: socket.localAddress || '',
-      isTls: record.isTLS || false,
-      tlsVersion: record.tlsVersion,
-      routeName: route.name,
-      routeId: route.id,
-    });
-
-    // Note: Route contexts are not cached to ensure fresh data for each connection
-
-    // Determine host using function or static value
-    let targetHost: string | string[];
-    if (typeof selectedTarget.host === 'function') {
-      try {
-        targetHost = selectedTarget.host(routeContext);
-        if (this.smartProxy.settings.enableDetailedLogging) {
-          logger.log('info', `Dynamic host resolved to ${Array.isArray(targetHost) ? targetHost.join(', ') : targetHost} for connection ${connectionId}`, {
-            connectionId,
-            targetHost: Array.isArray(targetHost) ? targetHost.join(', ') : targetHost,
-            component: 'route-handler'
-          });
-        }
-      } catch (err) {
-        logger.log('error', `Error in host mapping function for connection ${connectionId}: ${err}`, {
-          connectionId,
-          error: err,
-          component: 'route-handler'
-        });
-        socket.end();
-        this.smartProxy.connectionManager.cleanupConnection(record, 'host_mapping_error');
-        return;
-      }
-    } else {
-      targetHost = selectedTarget.host;
-    }
-
-    // If an array of hosts, select one randomly for load balancing
-    const selectedHost = Array.isArray(targetHost)
-      ? targetHost[Math.floor(Math.random() * targetHost.length)]
-      : targetHost;
-
-    // Determine port using function or static value
-    let targetPort: number;
-    if (typeof selectedTarget.port === 'function') {
-      try {
-        targetPort = selectedTarget.port(routeContext);
-        if (this.smartProxy.settings.enableDetailedLogging) {
-          logger.log('info', `Dynamic port mapping from ${record.localPort} to ${targetPort} for connection ${connectionId}`, {
-            connectionId,
-            sourcePort: record.localPort,
-            targetPort,
-            component: 'route-handler'
-          });
-        }
-        // Store the resolved target port in the context for potential future use
-        routeContext.targetPort = targetPort;
-      } catch (err) {
-        logger.log('error', `Error in port mapping function for connection ${connectionId}: ${err}`, {
-          connectionId,
-          error: err,
-          component: 'route-handler'
-        });
-        socket.end();
-        this.smartProxy.connectionManager.cleanupConnection(record, 'port_mapping_error');
-        return;
-      }
-    } else if (selectedTarget.port === 'preserve') {
-      // Use incoming port if port is 'preserve'
-      targetPort = record.localPort;
-    } else {
-      // Use static port from configuration
-      targetPort = selectedTarget.port;
-    }
-
-    // Store the resolved host in the context
-    routeContext.targetHost = selectedHost;
-
-    // Get effective settings (target overrides route-level settings)
-    const effectiveTls = selectedTarget.tls || action.tls;
-    const effectiveWebsocket = selectedTarget.websocket || action.websocket;
-    const effectiveSendProxyProtocol = selectedTarget.sendProxyProtocol !== undefined 
-      ? selectedTarget.sendProxyProtocol 
-      : action.sendProxyProtocol;
-
-    // Determine if this needs TLS handling
-    if (effectiveTls) {
-      switch (effectiveTls.mode) {
-        case 'passthrough':
-          // For TLS passthrough, just forward directly
-          if (this.smartProxy.settings.enableDetailedLogging) {
-            logger.log('info', `Using TLS passthrough to ${selectedHost}:${targetPort} for connection ${connectionId}`, {
-              connectionId,
-              targetHost: selectedHost,
-              targetPort,
-              component: 'route-handler'
-            });
-          }
-
-          return this.setupDirectConnection(
-            socket,
-            record,
-            record.lockedDomain,
-            initialChunk,
-            undefined,
-            selectedHost,
-            targetPort
-          );
-
-        case 'terminate':
-        case 'terminate-and-reencrypt':
-          // For TLS termination, use HttpProxy
-          if (this.smartProxy.httpProxyBridge.getHttpProxy()) {
-            if (this.smartProxy.settings.enableDetailedLogging) {
-              logger.log('info', `Using HttpProxy for TLS termination to ${Array.isArray(selectedTarget.host) ? selectedTarget.host.join(', ') : selectedTarget.host} for connection ${connectionId}`, {
-                connectionId,
-                targetHost: selectedTarget.host,
-                component: 'route-handler'
-              });
-            }
-
-            // If we have an initial chunk with TLS data, start processing it
-            if (initialChunk && record.isTLS) {
-              this.smartProxy.httpProxyBridge.forwardToHttpProxy(
-                connectionId,
-                socket,
-                record,
-                initialChunk,
-                this.smartProxy.settings.httpProxyPort || 8443,
-                (reason) => this.smartProxy.connectionManager.cleanupConnection(record, reason)
-              );
-              return;
-            }
-
-            // This shouldn't normally happen - we should have TLS data at this point
-            logger.log('error', `TLS termination route without TLS data for connection ${connectionId}`, {
-              connectionId,
-              component: 'route-handler'
-            });
-            socket.end();
-            this.smartProxy.connectionManager.cleanupConnection(record, 'tls_error');
-            return;
-          } else {
-            logger.log('error', `HttpProxy not available for TLS termination for connection ${connectionId}`, {
-              connectionId,
-              component: 'route-handler'
-            });
-            socket.end();
-            this.smartProxy.connectionManager.cleanupConnection(record, 'no_http_proxy');
-            return;
-          }
-      }
-    } else {
-      // No TLS settings - check if this port should use HttpProxy
-      const isHttpProxyPort = this.smartProxy.settings.useHttpProxy?.includes(record.localPort);
-      
-      // Debug logging
-      if (this.smartProxy.settings.enableDetailedLogging) {
-        logger.log('debug', `Checking HttpProxy forwarding: port=${record.localPort}, useHttpProxy=${JSON.stringify(this.smartProxy.settings.useHttpProxy)}, isHttpProxyPort=${isHttpProxyPort}, hasHttpProxy=${!!this.smartProxy.httpProxyBridge.getHttpProxy()}`, {
-          connectionId,
-          localPort: record.localPort,
-          useHttpProxy: this.smartProxy.settings.useHttpProxy,
-          isHttpProxyPort,
-          hasHttpProxy: !!this.smartProxy.httpProxyBridge.getHttpProxy(),
-          component: 'route-handler'
-        });
-      }
-      
-      if (isHttpProxyPort && this.smartProxy.httpProxyBridge.getHttpProxy()) {
-        // Forward non-TLS connections to HttpProxy if configured
-        if (this.smartProxy.settings.enableDetailedLogging) {
-          logger.log('info', `Using HttpProxy for non-TLS connection ${connectionId} on port ${record.localPort}`, {
-            connectionId,
-            port: record.localPort,
-            component: 'route-handler'
-          });
-        }
-        
-        this.smartProxy.httpProxyBridge.forwardToHttpProxy(
-          connectionId,
-          socket,
-          record,
-          initialChunk,
-          this.smartProxy.settings.httpProxyPort || 8443,
-          (reason) => this.smartProxy.connectionManager.cleanupConnection(record, reason)
-        );
-        return;
-      } else {
-        // Basic forwarding
-        if (this.smartProxy.settings.enableDetailedLogging) {
-          logger.log('info', `Using basic forwarding to ${Array.isArray(selectedTarget.host) ? selectedTarget.host.join(', ') : selectedTarget.host}:${selectedTarget.port} for connection ${connectionId}`, {
-            connectionId,
-            targetHost: selectedTarget.host,
-            targetPort: selectedTarget.port,
-            component: 'route-handler'
-          });
-        }
-
-        // Get the appropriate host value
-        let targetHost: string;
-
-        if (typeof selectedTarget.host === 'function') {
-          // For function-based host, use the same routeContext created earlier
-          const hostResult = selectedTarget.host(routeContext);
-          targetHost = Array.isArray(hostResult)
-            ? hostResult[Math.floor(Math.random() * hostResult.length)]
-            : hostResult;
-        } else {
-          // For static host value
-          targetHost = Array.isArray(selectedTarget.host)
-            ? selectedTarget.host[Math.floor(Math.random() * selectedTarget.host.length)]
-            : selectedTarget.host;
-        }
-
-        // Determine port - either function-based, static, or preserve incoming port
-        let targetPort: number;
-        if (typeof selectedTarget.port === 'function') {
-          targetPort = selectedTarget.port(routeContext);
-        } else if (selectedTarget.port === 'preserve') {
-          targetPort = record.localPort;
-        } else {
-          targetPort = selectedTarget.port;
-        }
-
-        // Update the connection record and context with resolved values
-        record.targetHost = targetHost;
-        record.targetPort = targetPort;
-
-        return this.setupDirectConnection(
-          socket,
-          record,
-          record.lockedDomain,
-          initialChunk,
-          undefined,
-          targetHost,
-          targetPort
-        );
-      }
-    }
-  }
-
-  /**
-   * Handle a socket-handler action for a route
-   */
-  private async handleSocketHandlerAction(
-    socket: plugins.net.Socket | WrappedSocket,
-    record: IConnectionRecord,
-    route: IRouteConfig,
-    initialChunk?: Buffer
-  ): Promise<void> {
-    const connectionId = record.id;
-    
-    // Store the route config in the connection record for metrics and other uses
-    record.routeConfig = route;
-    record.routeId = route.id || route.name || 'unnamed';
-    
-    // Track connection by route
-    this.smartProxy.connectionManager.trackConnectionByRoute(record.routeId, record.id);
-    
-    if (!route.action.socketHandler) {
-      logger.log('error', 'socket-handler action missing socketHandler function', {
-        connectionId,
-        routeName: route.name,
-        component: 'route-handler'
-      });
-      socket.destroy();
-      this.smartProxy.connectionManager.cleanupConnection(record, 'missing_handler');
-      return;
-    }
-    
-    // Track event listeners added by the handler so we can clean them up
-    const originalOn = socket.on.bind(socket);
-    const originalOnce = socket.once.bind(socket);
-    const trackedListeners: Array<{event: string; listener: (...args: any[]) => void}> = [];
-    
-    // Override socket.on to track listeners
-    socket.on = function(event: string, listener: (...args: any[]) => void) {
-      trackedListeners.push({event, listener});
-      return originalOn(event, listener);
-    } as any;
-    
-    // Override socket.once to track listeners
-    socket.once = function(event: string, listener: (...args: any[]) => void) {
-      trackedListeners.push({event, listener});
-      return originalOnce(event, listener);
-    } as any;
-    
-    // Set up automatic cleanup when socket closes
-    const cleanupHandler = () => {
-      // Remove all tracked listeners
-      for (const {event, listener} of trackedListeners) {
-        socket.removeListener(event, listener);
-      }
-      // Restore original methods
-      socket.on = originalOn;
-      socket.once = originalOnce;
-    };
-    
-    // Listen for socket close to trigger cleanup
-    originalOnce('close', cleanupHandler);
-    originalOnce('error', cleanupHandler);
-    
-    // Create route context for the handler
-    const routeContext = this.createRouteContext({
-      connectionId: record.id,
-      port: record.localPort,
-      domain: record.lockedDomain,
-      clientIp: record.remoteIP,
-      serverIp: socket.localAddress || '',
-      isTls: record.isTLS || false,
-      tlsVersion: record.tlsVersion,
-      routeName: route.name,
-      routeId: route.id,
-    });
-    
-    try {
-      // Call the handler with the appropriate socket (extract underlying if needed)
-      const handlerSocket = getUnderlyingSocket(socket);
-      const result = route.action.socketHandler(handlerSocket, routeContext);
-      
-      // Handle async handlers properly
-      if (result instanceof Promise) {
-        result
-          .then(() => {
-            // Emit initial chunk after async handler completes
-            if (initialChunk && initialChunk.length > 0) {
-              socket.emit('data', initialChunk);
-            }
-          })
-          .catch(error => {
-            logger.log('error', 'Socket handler error', {
-              connectionId,
-              routeName: route.name,
-              error: error.message,
-              component: 'route-handler'
-            });
-            // Remove all event listeners before destroying to prevent memory leaks
-            socket.removeAllListeners();
-            if (!socket.destroyed) {
-              socket.destroy();
-            }
-            this.smartProxy.connectionManager.cleanupConnection(record, 'handler_error');
-          });
-      } else {
-        // For sync handlers, emit on next tick
-        if (initialChunk && initialChunk.length > 0) {
-          process.nextTick(() => {
-            socket.emit('data', initialChunk);
-          });
-        }
-      }
-    } catch (error) {
-      logger.log('error', 'Socket handler error', {
-        connectionId,
-        routeName: route.name,
-        error: error.message,
-        component: 'route-handler'
-      });
-      // Remove all event listeners before destroying to prevent memory leaks
-      socket.removeAllListeners();
-      if (!socket.destroyed) {
-        socket.destroy();
-      }
-      this.smartProxy.connectionManager.cleanupConnection(record, 'handler_error');
-    }
-  }
-
-
-  /**
-   * Sets up a direct connection to the target
-   */
-  private setupDirectConnection(
-    socket: plugins.net.Socket | WrappedSocket,
-    record: IConnectionRecord,
-    serverName?: string,
-    initialChunk?: Buffer,
-    overridePort?: number,
-    targetHost?: string,
-    targetPort?: number
-  ): void {
-    const connectionId = record.id;
-
-    // Determine target host and port if not provided
-    const finalTargetHost =
-      targetHost || record.targetHost || this.smartProxy.settings.defaults?.target?.host || 'localhost';
-
-    // Determine target port
-    const finalTargetPort =
-      targetPort ||
-      record.targetPort ||
-      (overridePort !== undefined ? overridePort : this.smartProxy.settings.defaults?.target?.port || 443);
-
-    // Update record with final target information
-    record.targetHost = finalTargetHost;
-    record.targetPort = finalTargetPort;
-
-    if (this.smartProxy.settings.enableDetailedLogging) {
-      logger.log('info', `Setting up direct connection ${connectionId} to ${finalTargetHost}:${finalTargetPort}`, {
-        connectionId,
-        targetHost: finalTargetHost,
-        targetPort: finalTargetPort,
-        component: 'route-handler'
-      });
-    }
-
-    // Setup connection options
-    const connectionOptions: plugins.net.NetConnectOpts = {
-      host: finalTargetHost,
-      port: finalTargetPort,
-    };
-
-    // Preserve source IP if configured
-    if (this.smartProxy.settings.defaults?.preserveSourceIP || this.smartProxy.settings.preserveSourceIP) {
-      connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
-    }
-
-    // Store initial data if provided
-    if (initialChunk) {
-      // Don't count bytes here - they will be counted when actually forwarded through bidirectional forwarding
-      record.pendingData.push(Buffer.from(initialChunk));
-      record.pendingDataSize = initialChunk.length;
-    }
-
-    // Create the target socket with immediate error handling
-    const targetSocket = createSocketWithErrorHandler({
-      port: finalTargetPort,
-      host: finalTargetHost,
-      timeout: this.smartProxy.settings.connectionTimeout || 30000, // Connection timeout (default: 30s)
-      onError: (error) => {
-        // Connection failed - clean up everything immediately
-        // Check if connection record is still valid (client might have disconnected)
-        if (record.connectionClosed) {
-          logger.log('debug', `Backend connection failed but client already disconnected for ${connectionId}`, {
-            connectionId,
-            errorCode: (error as any).code,
-            component: 'route-handler'
-          });
-          return;
-        }
-        
-        logger.log('error', 
-          `Connection setup error for ${connectionId} to ${finalTargetHost}:${finalTargetPort}: ${error.message} (${(error as any).code})`, 
-          {
-            connectionId,
-            targetHost: finalTargetHost,
-            targetPort: finalTargetPort,
-            errorMessage: error.message,
-            errorCode: (error as any).code,
-            component: 'route-handler'
-          }
-        );
-        
-        // Log specific error types for easier debugging
-        if ((error as any).code === 'ECONNREFUSED') {
-          logger.log('error', 
-            `Connection ${connectionId}: Target ${finalTargetHost}:${finalTargetPort} refused connection. Check if the target service is running and listening on that port.`, 
-            {
-              connectionId,
-              targetHost: finalTargetHost,
-              targetPort: finalTargetPort,
-              recommendation: 'Check if the target service is running and listening on that port.',
-              component: 'route-handler'
-            }
-          );
-        }
-        
-        // Resume the incoming socket to prevent it from hanging
-        if (socket && !socket.destroyed) {
-          socket.resume();
-        }
-        
-        // Clean up the incoming socket
-        if (socket && !socket.destroyed) {
-          socket.destroy();
-        }
-        
-        // Clean up the connection record - this is critical!
-        this.smartProxy.connectionManager.cleanupConnection(record, `connection_failed_${(error as any).code || 'unknown'}`);
-      },
-      onConnect: async () => {
-        if (this.smartProxy.settings.enableDetailedLogging) {
-          logger.log('info', `Connection ${connectionId} established to target ${finalTargetHost}:${finalTargetPort}`, {
-            connectionId,
-            targetHost: finalTargetHost,
-            targetPort: finalTargetPort,
-            component: 'route-handler'
-          });
-        }
-        
-        // Clear any error listeners added by createSocketWithErrorHandler
-        targetSocket.removeAllListeners('error');
-        
-        // Add the normal error handler for established connections
-        targetSocket.on('error', this.smartProxy.connectionManager.handleError('outgoing', record));
-        
-        // Check if we should send PROXY protocol header
-        const shouldSendProxyProtocol = record.routeConfig?.action?.sendProxyProtocol || 
-                                       this.smartProxy.settings.sendProxyProtocol;
-        
-        if (shouldSendProxyProtocol) {
-          try {
-            // Generate PROXY protocol header
-            const proxyInfo = {
-              protocol: (record.remoteIP.includes(':') ? 'TCP6' : 'TCP4') as 'TCP4' | 'TCP6',
-              sourceIP: record.remoteIP,
-              sourcePort: record.remotePort || socket.remotePort || 0,
-              destinationIP: socket.localAddress || '',
-              destinationPort: socket.localPort || 0
-            };
-            
-            const proxyHeader = ProxyProtocolParser.generate(proxyInfo);
-            
-            // Note: PROXY protocol headers are sent to the backend, not to the client
-            // They are internal protocol overhead and shouldn't be counted in client-facing metrics
-            
-            // Send PROXY protocol header first
-            await new Promise<void>((resolve, reject) => {
-              targetSocket.write(proxyHeader, (err) => {
-                if (err) {
-                  logger.log('error', `Failed to send PROXY protocol header`, {
-                    connectionId,
-                    error: err.message,
-                    component: 'route-handler'
-                  });
-                  reject(err);
-                } else {
-                  logger.log('info', `PROXY protocol header sent to backend`, {
-                    connectionId,
-                    targetHost: finalTargetHost,
-                    targetPort: finalTargetPort,
-                    sourceIP: proxyInfo.sourceIP,
-                    sourcePort: proxyInfo.sourcePort,
-                    component: 'route-handler'
-                  });
-                  resolve();
-                }
-              });
-            });
-          } catch (error) {
-            logger.log('error', `Error sending PROXY protocol header`, {
-              connectionId,
-              error: error.message,
-              component: 'route-handler'
-            });
-            // Continue anyway - don't break the connection
-          }
-        }
-        
-        // Flush any pending data to target
-        if (record.pendingData.length > 0) {
-          const combinedData = Buffer.concat(record.pendingData);
-
-          if (this.smartProxy.settings.enableDetailedLogging) {
-            console.log(
-              `[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`
-            );
-          }
-
-          // Write pending data immediately
-          targetSocket.write(combinedData, (err) => {
-            if (err) {
-              logger.log('error', `Error writing pending data to target for connection ${connectionId}: ${err.message}`, {
-                connectionId,
-                error: err.message,
-                component: 'route-handler'
-              });
-              return this.smartProxy.connectionManager.cleanupConnection(record, 'write_error');
-            }
-          });
-
-          // Clear the buffer now that we've processed it
-          record.pendingData = [];
-          record.pendingDataSize = 0;
-        }
-
-        // Use centralized bidirectional forwarding setup
-        // Extract underlying sockets for socket-utils functions
-        const incomingSocket = getUnderlyingSocket(socket);
-        
-        setupBidirectionalForwarding(incomingSocket, targetSocket, {
-          onClientData: (chunk) => {
-            record.bytesReceived += chunk.length;
-            this.smartProxy.timeoutManager.updateActivity(record);
-            
-            // Record bytes for metrics
-            if (this.smartProxy.metricsCollector) {
-              this.smartProxy.metricsCollector.recordBytes(record.id, chunk.length, 0);
-            }
-          },
-          onServerData: (chunk) => {
-            record.bytesSent += chunk.length;
-            this.smartProxy.timeoutManager.updateActivity(record);
-            
-            // Record bytes for metrics
-            if (this.smartProxy.metricsCollector) {
-              this.smartProxy.metricsCollector.recordBytes(record.id, 0, chunk.length);
-            }
-          },
-          onCleanup: (reason) => {
-            this.smartProxy.connectionManager.cleanupConnection(record, reason);
-          },
-          enableHalfOpen: false // Default: close both when one closes (required for proxy chains)
-        });
-        
-        // Apply timeouts using TimeoutManager
-        const timeout = this.smartProxy.timeoutManager.getEffectiveInactivityTimeout(record);
-        // Skip timeout for immortal connections (MAX_SAFE_INTEGER would cause issues)
-        if (timeout !== Number.MAX_SAFE_INTEGER) {
-          const safeTimeout = this.smartProxy.timeoutManager.ensureSafeTimeout(timeout);
-          socket.setTimeout(safeTimeout);
-          targetSocket.setTimeout(safeTimeout);
-        }
-
-        // Log successful connection
-        logger.log('info', 
-          `Connection established: ${record.remoteIP} -> ${finalTargetHost}:${finalTargetPort}` +
-          `${serverName ? ` (SNI: ${serverName})` : record.lockedDomain ? ` (Domain: ${record.lockedDomain})` : ''}`, 
-          {
-            remoteIP: record.remoteIP,
-            targetHost: finalTargetHost,
-            targetPort: finalTargetPort,
-            sni: serverName || undefined,
-            domain: !serverName && record.lockedDomain ? record.lockedDomain : undefined,
-            component: 'route-handler'
-          }
-        );
-
-        // Add TLS renegotiation handler if needed
-        if (serverName) {
-          // Create connection info object for the existing connection
-          const connInfo = {
-            sourceIp: record.remoteIP,
-            sourcePort: record.incoming.remotePort || 0,
-            destIp: record.incoming.localAddress || '',
-            destPort: record.incoming.localPort || 0,
-          };
-
-          // Create a renegotiation handler function
-          const renegotiationHandler = this.smartProxy.tlsManager.createRenegotiationHandler(
-            connectionId,
-            serverName,
-            connInfo,
-            (_connectionId, reason) => this.smartProxy.connectionManager.cleanupConnection(record, reason)
-          );
-
-          // Store the handler in the connection record so we can remove it during cleanup
-          record.renegotiationHandler = renegotiationHandler;
-
-          // Add the handler to the socket
-          socket.on('data', renegotiationHandler);
-
-          if (this.smartProxy.settings.enableDetailedLogging) {
-            logger.log('info', `TLS renegotiation handler installed for connection ${connectionId} with SNI ${serverName}`, {
-              connectionId,
-              serverName,
-              component: 'route-handler'
-            });
-          }
-        }
-
-        // Set connection timeout
-        record.cleanupTimer = this.smartProxy.timeoutManager.setupConnectionTimeout(record, (record, reason) => {
-          logger.log('warn', `Connection ${connectionId} from ${record.remoteIP} exceeded max lifetime, forcing cleanup`, {
-            connectionId,
-            remoteIP: record.remoteIP,
-            component: 'route-handler'
-          });
-          this.smartProxy.connectionManager.cleanupConnection(record, reason);
-        });
-
-        // Mark TLS handshake as complete for TLS connections
-        if (record.isTLS) {
-          record.tlsHandshakeComplete = true;
-        }
-      }
-    });
-    
-    // Set outgoing socket immediately so it can be cleaned up if client disconnects
-    record.outgoing = targetSocket;
-    record.outgoingStartTime = Date.now();
-
-    // Apply socket optimizations
-    targetSocket.setNoDelay(this.smartProxy.settings.noDelay);
-
-    // Apply keep-alive settings if enabled
-    if (this.smartProxy.settings.keepAlive) {
-      targetSocket.setKeepAlive(true, this.smartProxy.settings.keepAliveInitialDelay);
-
-      // Apply enhanced TCP keep-alive options if enabled
-      if (this.smartProxy.settings.enableKeepAliveProbes) {
-        try {
-          if ('setKeepAliveProbes' in targetSocket) {
-            (targetSocket as any).setKeepAliveProbes(10);
-          }
-          if ('setKeepAliveInterval' in targetSocket) {
-            (targetSocket as any).setKeepAliveInterval(1000);
-          }
-        } catch (err) {
-          // Ignore errors - these are optional enhancements
-          if (this.smartProxy.settings.enableDetailedLogging) {
-            logger.log('warn', `Enhanced TCP keep-alive not supported for outgoing socket on connection ${connectionId}: ${err}`, {
-              connectionId,
-              error: err,
-              component: 'route-handler'
-            });
-          }
-        }
-      }
-    }
-
-    // Setup error handlers for incoming socket
-    socket.on('error', this.smartProxy.connectionManager.handleError('incoming', record));
-
-    // Handle timeouts with keep-alive awareness
-    socket.on('timeout', () => {
-      // For keep-alive connections, just log a warning instead of closing
-      if (record.hasKeepAlive) {
-        logger.log('warn', `Timeout event on incoming keep-alive connection ${connectionId} from ${record.remoteIP} after ${plugins.prettyMs(this.smartProxy.settings.socketTimeout || 3600000)}. Connection preserved.`, {
-          connectionId,
-          remoteIP: record.remoteIP,
-          timeout: plugins.prettyMs(this.smartProxy.settings.socketTimeout || 3600000),
-          status: 'Connection preserved',
-          component: 'route-handler'
-        });
-        return;
-      }
-
-      // For non-keep-alive connections, proceed with normal cleanup
-      logger.log('warn', `Timeout on incoming side for connection ${connectionId} from ${record.remoteIP} after ${plugins.prettyMs(this.smartProxy.settings.socketTimeout || 3600000)}`, {
-        connectionId,
-        remoteIP: record.remoteIP,
-        timeout: plugins.prettyMs(this.smartProxy.settings.socketTimeout || 3600000),
-        component: 'route-handler'
-      });
-      if (record.incomingTerminationReason === null) {
-        record.incomingTerminationReason = 'timeout';
-        this.smartProxy.connectionManager.incrementTerminationStat('incoming', 'timeout');
-      }
-      this.smartProxy.connectionManager.cleanupConnection(record, 'timeout_incoming');
-    });
-
-    targetSocket.on('timeout', () => {
-      // For keep-alive connections, just log a warning instead of closing
-      if (record.hasKeepAlive) {
-        logger.log('warn', `Timeout event on outgoing keep-alive connection ${connectionId} from ${record.remoteIP} after ${plugins.prettyMs(this.smartProxy.settings.socketTimeout || 3600000)}. Connection preserved.`, {
-          connectionId,
-          remoteIP: record.remoteIP,
-          timeout: plugins.prettyMs(this.smartProxy.settings.socketTimeout || 3600000),
-          status: 'Connection preserved',
-          component: 'route-handler'
-        });
-        return;
-      }
-
-      // For non-keep-alive connections, proceed with normal cleanup
-      logger.log('warn', `Timeout on outgoing side for connection ${connectionId} from ${record.remoteIP} after ${plugins.prettyMs(this.smartProxy.settings.socketTimeout || 3600000)}`, {
-        connectionId,
-        remoteIP: record.remoteIP,
-        timeout: plugins.prettyMs(this.smartProxy.settings.socketTimeout || 3600000),
-        component: 'route-handler'
-      });
-      if (record.outgoingTerminationReason === null) {
-        record.outgoingTerminationReason = 'timeout';
-        this.smartProxy.connectionManager.incrementTerminationStat('outgoing', 'timeout');
-      }
-      this.smartProxy.connectionManager.cleanupConnection(record, 'timeout_outgoing');
-    });
-
-    // Apply socket timeouts
-    this.smartProxy.timeoutManager.applySocketTimeouts(record);
-  }
-}