@push.rocks/smartproxy 22.4.2 → 22.6.0

package/ts/proxies/smart-proxy/smart-proxy.ts

@@ -1,940 +1,424 @@
 import * as plugins from '../../plugins.js';
 import { logger } from '../../core/utils/logger.js';
-import { connectionLogDeduplicator } from '../../core/utils/log-deduplicator.js';
-
-// Importing required components
-import { ConnectionManager } from './connection-manager.js';
-import { SecurityManager } from './security-manager.js';
-import { TlsManager } from './tls-manager.js';
-import { HttpProxyBridge } from './http-proxy-bridge.js';
-import { TimeoutManager } from './timeout-manager.js';
-import { PortManager } from './port-manager.js';
-import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
-import { RouteConnectionHandler } from './route-connection-handler.js';
-import { NFTablesManager } from './nftables-manager.js';
-
-// Certificate manager
-import { SmartCertManager, type ICertStatus } from './certificate-manager.js';
-
-// Import types and utilities
-import type {
-  ISmartProxyOptions
-} from './models/interfaces.js';
-import type { IRouteConfig } from './models/route-types.js';
 
-// Import mutex for route update synchronization
-import { Mutex } from './utils/mutex.js';
+// Rust bridge and helpers
+import { RustProxyBridge } from './rust-proxy-bridge.js';
+import { RustBinaryLocator } from './rust-binary-locator.js';
+import { RoutePreprocessor } from './route-preprocessor.js';
+import { SocketHandlerServer } from './socket-handler-server.js';
+import { RustMetricsAdapter } from './rust-metrics-adapter.js';
 
-// Import route validator
+// Route management
+import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
 import { RouteValidator } from './utils/route-validator.js';
+import { Mutex } from './utils/mutex.js';
 
-// Import route orchestrator for route management
-import { RouteOrchestrator } from './route-orchestrator.js';
-
-// Import ACME state manager
-import { AcmeStateManager } from './acme-state-manager.js';
-
-// Import metrics collector
-import { MetricsCollector } from './metrics-collector.js';
+// Types
+import type { ISmartProxyOptions, TSmartProxyCertProvisionObject } from './models/interfaces.js';
+import type { IRouteConfig } from './models/route-types.js';
 import type { IMetrics } from './models/metrics-types.js';
 
 /**
- * SmartProxy - Pure route-based API
- *
- * SmartProxy is a unified proxy system that works with routes to define connection handling behavior.
- * Each route contains matching criteria (ports, domains, etc.) and an action to take (forward, redirect, block).
+ * SmartProxy - Rust-backed proxy engine with TypeScript configuration API.
  *
- * Configuration is provided through a set of routes, with each route defining:
- * - What to match (ports, domains, paths, client IPs)
- * - What to do with matching traffic (forward, redirect, block)
- * - How to handle TLS (passthrough, terminate, terminate-and-reencrypt)
- * - Security settings (IP restrictions, connection limits)
- * - Advanced options (timeout, headers, etc.)
+ * All networking (TCP, TLS, HTTP reverse proxy, connection management, security,
+ * NFTables) is handled by the Rust binary. TypeScript is only:
+ * - The npm module interface (types, route helpers)
+ * - The thin IPC wrapper (this class)
+ * - Socket-handler callback relay (for JS-defined handlers)
+ * - Certificate provisioning callbacks (certProvisionFunction)
  */
 export class SmartProxy extends plugins.EventEmitter {
-  // Port manager handles dynamic listener management
-  private portManager: PortManager;
-  private connectionLogger: NodeJS.Timeout | null = null;
-  private isShuttingDown: boolean = false;
-  
-  // Component managers
-  public connectionManager: ConnectionManager;
-  public securityManager: SecurityManager;
-  public tlsManager: TlsManager;
-  public httpProxyBridge: HttpProxyBridge;
-  public timeoutManager: TimeoutManager;
+  public settings: ISmartProxyOptions;
   public routeManager: RouteManager;
-  public routeConnectionHandler: RouteConnectionHandler;
-  public nftablesManager: NFTablesManager;
-  
-  // Certificate manager for ACME and static certificates
-  public certManager: SmartCertManager | null = null;
-  
-  // Global challenge route tracking
-  private globalChallengeRouteActive: boolean = false;
+
+  private bridge: RustProxyBridge;
+  private preprocessor: RoutePreprocessor;
+  private socketHandlerServer: SocketHandlerServer | null = null;
+  private metricsAdapter: RustMetricsAdapter;
   private routeUpdateLock: Mutex;
-  public acmeStateManager: AcmeStateManager;
-  
-  // Metrics collector
-  public metricsCollector: MetricsCollector;
-  
-  // Route orchestrator for managing route updates
-  private routeOrchestrator: RouteOrchestrator;
-  
-  // Track port usage across route updates
-  private portUsageMap: Map<number, Set<string>> = new Map();
-  
-  /**
-   * Constructor for SmartProxy
-   *
-   * @param settingsArg Configuration options containing routes and other settings
-   * Routes define how traffic is matched and handled, with each route having:
-   * - match: criteria for matching traffic (ports, domains, paths, IPs)
-   * - action: what to do with matched traffic (forward, redirect, block)
-   *
-   * Example:
-   * ```ts
-   * const proxy = new SmartProxy({
-   *   routes: [
-   *     {
-   *       match: {
-   *         ports: 443,
-   *         domains: ['example.com', '*.example.com']
-   *       },
-   *       action: {
-   *         type: 'forward',
-   *         target: { host: '10.0.0.1', port: 8443 },
-   *         tls: { mode: 'passthrough' }
-   *       }
-   *     }
-   *   ],
-   *   defaults: {
-   *     target: { host: 'localhost', port: 8080 },
-   *     security: { ipAllowList: ['*'] }
-   *   }
-   * });
-   * ```
-   */
+  private stopping = false;
+
   constructor(settingsArg: ISmartProxyOptions) {
     super();
-    
-    // Set reasonable defaults for all settings
+
+    // Apply defaults
     this.settings = {
       ...settingsArg,
       initialDataTimeout: settingsArg.initialDataTimeout || 120000,
       socketTimeout: settingsArg.socketTimeout || 3600000,
-      inactivityCheckInterval: settingsArg.inactivityCheckInterval || 60000,
       maxConnectionLifetime: settingsArg.maxConnectionLifetime || 86400000,
       inactivityTimeout: settingsArg.inactivityTimeout || 14400000,
       gracefulShutdownTimeout: settingsArg.gracefulShutdownTimeout || 30000,
-      noDelay: settingsArg.noDelay !== undefined ? settingsArg.noDelay : true,
-      keepAlive: settingsArg.keepAlive !== undefined ? settingsArg.keepAlive : true,
-      keepAliveInitialDelay: settingsArg.keepAliveInitialDelay || 10000,
-      maxPendingDataSize: settingsArg.maxPendingDataSize || 10 * 1024 * 1024,
-      disableInactivityCheck: settingsArg.disableInactivityCheck || false,
-      enableKeepAliveProbes:
-        settingsArg.enableKeepAliveProbes !== undefined ? settingsArg.enableKeepAliveProbes : true,
-      enableDetailedLogging: settingsArg.enableDetailedLogging || false,
-      enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
-      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
       maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
       connectionRateLimitPerMinute: settingsArg.connectionRateLimitPerMinute || 300,
       keepAliveTreatment: settingsArg.keepAliveTreatment || 'extended',
       keepAliveInactivityMultiplier: settingsArg.keepAliveInactivityMultiplier || 6,
       extendedKeepAliveLifetime: settingsArg.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000,
-      httpProxyPort: settingsArg.httpProxyPort || 8443,
     };
-    
-    // Normalize ACME options if provided (support both email and accountEmail)
+
+    // Normalize ACME options
     if (this.settings.acme) {
-      // Support both 'email' and 'accountEmail' fields
       if (this.settings.acme.accountEmail && !this.settings.acme.email) {
         this.settings.acme.email = this.settings.acme.accountEmail;
       }
-      
-      // Set reasonable defaults for commonly used fields
       this.settings.acme = {
-        enabled: this.settings.acme.enabled !== false, // Enable by default if acme object exists
+        enabled: this.settings.acme.enabled !== false,
         port: this.settings.acme.port || 80,
         email: this.settings.acme.email,
         useProduction: this.settings.acme.useProduction || false,
         renewThresholdDays: this.settings.acme.renewThresholdDays || 30,
-        autoRenew: this.settings.acme.autoRenew !== false, // Enable by default
+        autoRenew: this.settings.acme.autoRenew !== false,
         certificateStore: this.settings.acme.certificateStore || './certs',
         skipConfiguredCerts: this.settings.acme.skipConfiguredCerts || false,
         renewCheckIntervalHours: this.settings.acme.renewCheckIntervalHours || 24,
         routeForwards: this.settings.acme.routeForwards || [],
-        ...this.settings.acme // Preserve any additional fields
+        ...this.settings.acme,
       };
     }
-    
-    // Initialize component managers
-    this.timeoutManager = new TimeoutManager(this);
-    this.securityManager = new SecurityManager(this);
-    this.connectionManager = new ConnectionManager(this);
-    
-    // Create the route manager with SharedRouteManager API
-    // Create a logger adapter to match ILogger interface
-    const loggerAdapter = {
-      debug: (message: string, data?: any) => logger.log('debug', message, data),
-      info: (message: string, data?: any) => logger.log('info', message, data),
-      warn: (message: string, data?: any) => logger.log('warn', message, data),
-      error: (message: string, data?: any) => logger.log('error', message, data)
-    };
-    
-    // Validate initial routes
-    if (this.settings.routes && this.settings.routes.length > 0) {
+
+    // Validate routes
+    if (this.settings.routes?.length) {
       const validation = RouteValidator.validateRoutes(this.settings.routes);
       if (!validation.valid) {
         RouteValidator.logValidationErrors(validation.errors);
         throw new Error(`Initial route validation failed: ${validation.errors.size} route(s) have errors`);
       }
     }
-    
+
+    // Create logger adapter
+    const loggerAdapter = {
+      debug: (message: string, data?: any) => logger.log('debug', message, data),
+      info: (message: string, data?: any) => logger.log('info', message, data),
+      warn: (message: string, data?: any) => logger.log('warn', message, data),
+      error: (message: string, data?: any) => logger.log('error', message, data),
+    };
+
+    // Initialize components
     this.routeManager = new RouteManager({
       logger: loggerAdapter,
       enableDetailedLogging: this.settings.enableDetailedLogging,
-      routes: this.settings.routes
+      routes: this.settings.routes,
     });
 
-    
-    // Create other required components
-    this.tlsManager = new TlsManager(this);
-    this.httpProxyBridge = new HttpProxyBridge(this);
-    
-    // Initialize connection handler with route support
-    this.routeConnectionHandler = new RouteConnectionHandler(this);
-
-    // Initialize port manager
-    this.portManager = new PortManager(this);
-    
-    // Initialize NFTablesManager
-    this.nftablesManager = new NFTablesManager(this);
-    
-    // Initialize route update mutex for synchronization
-    this.routeUpdateLock = new Mutex();
-    
-    // Initialize ACME state manager
-    this.acmeStateManager = new AcmeStateManager();
-    
-    // Initialize metrics collector with reference to this SmartProxy instance
-    this.metricsCollector = new MetricsCollector(this, {
-      sampleIntervalMs: this.settings.metrics?.sampleIntervalMs,
-      retentionSeconds: this.settings.metrics?.retentionSeconds
-    });
-    
-    // Initialize route orchestrator for managing route updates
-    this.routeOrchestrator = new RouteOrchestrator(
-      this.portManager,
-      this.routeManager,
-      this.httpProxyBridge,
-      this.nftablesManager,
-      null, // certManager will be set later
-      loggerAdapter
+    this.bridge = new RustProxyBridge();
+    this.preprocessor = new RoutePreprocessor();
+    this.metricsAdapter = new RustMetricsAdapter(
+      this.bridge,
+      this.settings.metrics?.sampleIntervalMs ?? 1000
     );
-  }
-  
-  /**
-   * The settings for the SmartProxy
-   */
-  public settings: ISmartProxyOptions;
-  
-  /**
-   * Helper method to create and configure certificate manager
-   * This ensures consistent setup including the required ACME callback
-   */
-  private async createCertificateManager(
-    routes: IRouteConfig[],
-    certStore: string = './certs',
-    acmeOptions?: any,
-    initialState?: { challengeRouteActive?: boolean }
-  ): Promise<SmartCertManager> {
-    const certManager = new SmartCertManager(routes, certStore, acmeOptions, initialState);
-    
-    // Always set up the route update callback for ACME challenges
-    certManager.setUpdateRoutesCallback(async (routes) => {
-      await this.updateRoutes(routes);
-    });
-    
-    // Connect with HttpProxy if available
-    if (this.httpProxyBridge.getHttpProxy()) {
-      certManager.setHttpProxy(this.httpProxyBridge.getHttpProxy());
-    }
-    
-    // Set the ACME state manager
-    certManager.setAcmeStateManager(this.acmeStateManager);
-    
-    // Pass down the global ACME config if available
-    if (this.settings.acme) {
-      certManager.setGlobalAcmeDefaults(this.settings.acme);
-    }
-    
-    // Pass down the custom certificate provision function if available
-    if (this.settings.certProvisionFunction) {
-      certManager.setCertProvisionFunction(this.settings.certProvisionFunction);
-    }
-    
-    // Pass down the fallback to ACME setting
-    if (this.settings.certProvisionFallbackToAcme !== undefined) {
-      certManager.setCertProvisionFallbackToAcme(this.settings.certProvisionFallbackToAcme);
-    }
-    
-    await certManager.initialize();
-    return certManager;
+    this.routeUpdateLock = new Mutex();
   }
 
   /**
-   * Initialize certificate manager
+   * Start the proxy.
+   * Spawns the Rust binary, configures socket relay if needed, sends routes, handles cert provisioning.
    */
-  private async initializeCertificateManager(): Promise<void> {
-    // Extract global ACME options if any routes use auto certificates
-    const autoRoutes = this.settings.routes.filter(r => 
-      r.action.tls?.certificate === 'auto'
-    );
-    
-    if (autoRoutes.length === 0 && !this.hasStaticCertRoutes()) {
-      logger.log('info', 'No routes require certificate management', { component: 'certificate-manager' });
-      return;
-    }
-    
-    // Prepare ACME options with priority:
-    // 1. Use top-level ACME config if available
-    // 2. Fall back to first auto route's ACME config
-    // 3. Otherwise use undefined
-    let acmeOptions: { email?: string; useProduction?: boolean; port?: number } | undefined;
-    
-    if (this.settings.acme?.email) {
-      // Use top-level ACME config
-      acmeOptions = {
-        email: this.settings.acme.email,
-        useProduction: this.settings.acme.useProduction || false,
-        port: this.settings.acme.port || 80
-      };
-      logger.log('info', `Using top-level ACME configuration with email: ${acmeOptions.email}`, { component: 'certificate-manager' });
-    } else if (autoRoutes.length > 0) {
-      // Check for route-level ACME config
-      const routeWithAcme = autoRoutes.find(r => r.action.tls?.acme?.email);
-      if (routeWithAcme?.action.tls?.acme) {
-        const routeAcme = routeWithAcme.action.tls.acme;
-        acmeOptions = {
-          email: routeAcme.email,
-          useProduction: routeAcme.useProduction || false,
-          port: routeAcme.challengePort || 80
-        };
-        logger.log('info', `Using route-level ACME configuration from route '${routeWithAcme.name}' with email: ${acmeOptions.email}`, { component: 'certificate-manager' });
-      }
-    }
-    
-    // Validate we have required configuration
-    if (autoRoutes.length > 0 && !acmeOptions?.email) {
+  public async start(): Promise<void> {
+    // Spawn Rust binary
+    const spawned = await this.bridge.spawn();
+    if (!spawned) {
       throw new Error(
-        'ACME email is required for automatic certificate provisioning. ' +
-        'Please provide email in either:\n' +
-        '1. Top-level "acme" configuration\n' +
-        '2. Individual route\'s "tls.acme" configuration'
+        'RustProxy binary not found. Set SMARTPROXY_RUST_BINARY env var, install the platform package, ' +
+        'or build locally with: cd rust && cargo build --release'
       );
     }
-    
-    // Use the helper method to create and configure the certificate manager
-    this.certManager = await this.createCertificateManager(
-      this.settings.routes,
-      this.settings.acme?.certificateStore || './certs',
-      acmeOptions
-    );
-  }
-  
-  /**
-   * Check if we have routes with static certificates
-   */
-  private hasStaticCertRoutes(): boolean {
-    return this.settings.routes.some(r => 
-      r.action.tls?.certificate && 
-      r.action.tls.certificate !== 'auto'
-    );
-  }
-  
-  /**
-   * Start the proxy server with support for both configuration types
-   */
-  public async start() {
-    // Don't start if already shutting down
-    if (this.isShuttingDown) {
-      logger.log('warn', "Cannot start SmartProxy while it's in the shutdown process");
-      return;
-    }
-
-    // Validate the route configuration
-    const configWarnings = this.routeManager.validateConfiguration();
-    
-    // Also validate ACME configuration
-    const acmeWarnings = this.validateAcmeConfiguration();
-    const allWarnings = [...configWarnings, ...acmeWarnings];
-    
-    if (allWarnings.length > 0) {
-      logger.log('warn', `${allWarnings.length} configuration warnings found`, { count: allWarnings.length });
-      for (const warning of allWarnings) {
-        logger.log('warn', `${warning}`);
-      }
-    }
 
-    // Get listening ports from RouteManager
-    const listeningPorts = this.routeManager.getListeningPorts();
-
-    // Initialize port usage tracking using RouteOrchestrator
-    this.portUsageMap = this.routeOrchestrator.updatePortUsageMap(this.settings.routes);
-    
-    // Log port usage for startup
-    logger.log('info', `SmartProxy starting with ${listeningPorts.length} ports: ${listeningPorts.join(', ')}`, {
-      portCount: listeningPorts.length,
-      ports: listeningPorts,
-      component: 'smart-proxy'
+    // Handle unexpected exit (only emits error if not intentionally stopping)
+    this.bridge.on('exit', (code: number | null, signal: string | null) => {
+      if (this.stopping) return;
+      logger.log('error', `RustProxy exited unexpectedly (code=${code}, signal=${signal})`, { component: 'smart-proxy' });
+      this.emit('error', new Error(`RustProxy exited (code=${code}, signal=${signal})`));
     });
 
-    // Provision NFTables rules for routes that use NFTables
-    for (const route of this.settings.routes) {
-      if (route.action.forwardingEngine === 'nftables') {
-        await this.nftablesManager.provisionRoute(route);
-      }
-    }
+    // Check if any routes need TS-side handling (socket handlers, dynamic functions)
+    const hasHandlerRoutes = this.settings.routes.some(
+      (r) =>
+        (r.action.type === 'socket-handler' && r.action.socketHandler) ||
+        r.action.targets?.some((t) => typeof t.host === 'function' || typeof t.port === 'function')
+    );
 
-    // Initialize and start HttpProxy if needed - before port binding
-    if (this.settings.useHttpProxy && this.settings.useHttpProxy.length > 0) {
-      await this.httpProxyBridge.initialize();
-      await this.httpProxyBridge.start();
+    // Start socket handler relay server (but don't tell Rust yet - proxy not started)
+    if (hasHandlerRoutes) {
+      this.socketHandlerServer = new SocketHandlerServer(this.preprocessor);
+      await this.socketHandlerServer.start();
     }
 
-    // Start port listeners using the PortManager BEFORE initializing certificate manager
-    // This ensures all required ports are bound and ready when adding ACME challenge routes
-    await this.portManager.addPorts(listeningPorts);
-    
-    // Initialize certificate manager AFTER port binding is complete
-    // This ensures the ACME challenge port is already bound and ready when needed
-    await this.initializeCertificateManager();
-    
-    // Connect certificate manager with HttpProxy if both are available
-    if (this.certManager && this.httpProxyBridge.getHttpProxy()) {
-      this.certManager.setHttpProxy(this.httpProxyBridge.getHttpProxy());
-    }
+    // Preprocess routes (strip JS functions, convert socket-handler routes)
+    const rustRoutes = this.preprocessor.preprocessForRust(this.settings.routes);
 
-    // Now that ports are listening, provision any required certificates
-    if (this.certManager) {
-      logger.log('info', 'Starting certificate provisioning now that ports are ready', { component: 'certificate-manager' });
-      await this.certManager.provisionAllCertificates();
-    }
-    
-    // Start the metrics collector now that all components are initialized
-    this.metricsCollector.start();
-
-    // Set up periodic connection logging and inactivity checks
-    this.connectionLogger = setInterval(() => {
-      // Immediately return if shutting down
-      if (this.isShuttingDown) return;
-
-      // Perform inactivity check
-      this.connectionManager.performInactivityCheck();
-
-      // Log connection statistics
-      const now = Date.now();
-      let maxIncoming = 0;
-      let maxOutgoing = 0;
-      let tlsConnections = 0;
-      let nonTlsConnections = 0;
-      let completedTlsHandshakes = 0;
-      let pendingTlsHandshakes = 0;
-      let keepAliveConnections = 0;
-      let httpProxyConnections = 0;
-      
-      // Get connection records for analysis
-      const connectionRecords = this.connectionManager.getConnections();
-      
-      // Analyze active connections
-      for (const record of connectionRecords.values()) {
-        // Track connection stats
-        if (record.isTLS) {
-          tlsConnections++;
-          if (record.tlsHandshakeComplete) {
-            completedTlsHandshakes++;
-          } else {
-            pendingTlsHandshakes++;
-          }
-        } else {
-          nonTlsConnections++;
-        }
+    // Build Rust config
+    const config = this.buildRustConfig(rustRoutes);
 
-        if (record.hasKeepAlive) {
-          keepAliveConnections++;
-        }
+    // Start the Rust proxy
+    await this.bridge.startProxy(config);
 
-        if (record.usingNetworkProxy) {
-          httpProxyConnections++;
-        }
+    // Now that Rust proxy is running, configure socket handler relay
+    if (this.socketHandlerServer) {
+      await this.bridge.setSocketHandlerRelay(this.socketHandlerServer.getSocketPath());
+    }
 
-        maxIncoming = Math.max(maxIncoming, now - record.incomingStartTime);
-        if (record.outgoingStartTime) {
-          maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
-        }
-      }
+    // Handle certProvisionFunction
+    await this.provisionCertificatesViaCallback();
 
-      // Get termination stats
-      const terminationStats = this.connectionManager.getTerminationStats();
-
-      // Log detailed stats
-      logger.log('info', 'Connection statistics', {
-        activeConnections: connectionRecords.size,
-        tls: {
-          total: tlsConnections,
-          completed: completedTlsHandshakes,
-          pending: pendingTlsHandshakes
-        },
-        nonTls: nonTlsConnections,
-        keepAlive: keepAliveConnections,
-        httpProxy: httpProxyConnections,
-        longestRunning: {
-          incoming: plugins.prettyMs(maxIncoming),
-          outgoing: plugins.prettyMs(maxOutgoing)
-        },
-        terminationStats: {
-          incoming: terminationStats.incoming,
-          outgoing: terminationStats.outgoing
-        },
-        component: 'connection-manager'
-      });
-    }, this.settings.inactivityCheckInterval || 60000);
-
-    // Make sure the interval doesn't keep the process alive
-    if (this.connectionLogger.unref) {
-      this.connectionLogger.unref();
-    }
-  }
-  
-  /**
-   * Extract domain configurations from routes for certificate provisioning
-   *
-   * Note: This method has been removed as we now work directly with routes
-   */
-  
-  /**
-   * Stop the proxy server
-   */
-  public async stop() {
-    logger.log('info', 'SmartProxy shutting down...');
-    this.isShuttingDown = true;
-    this.portManager.setShuttingDown(true);
-    
-    // Stop certificate manager
-    if (this.certManager) {
-      await this.certManager.stop();
-      logger.log('info', 'Certificate manager stopped');
-    }
-    
-    // Stop NFTablesManager
-    await this.nftablesManager.stop();
-    logger.log('info', 'NFTablesManager stopped');
-
-    // Stop the connection logger
-    if (this.connectionLogger) {
-      clearInterval(this.connectionLogger);
-      this.connectionLogger = null;
-    }
+    // Start metrics polling
+    this.metricsAdapter.startPolling();
 
-    // Stop all port listeners
-    await this.portManager.closeAll();
-    logger.log('info', 'All servers closed. Cleaning up active connections...');
-
-    // Clean up all active connections
-    await this.connectionManager.clearConnections();
-
-    // Stop HttpProxy
-    await this.httpProxyBridge.stop();
-    
-    // Clear ACME state manager
-    this.acmeStateManager.clear();
-    
-    // Stop metrics collector
-    this.metricsCollector.stop();
-    
-    // Clean up ProtocolDetector singleton
-    const detection = await import('../../detection/index.js');
-    detection.ProtocolDetector.destroy();
-    
-    // Flush any pending deduplicated logs
-    connectionLogDeduplicator.flushAll();
-
-    logger.log('info', 'SmartProxy shutdown complete.');
-  }
-  
-  /**
-   * Updates the domain configurations for the proxy
-   *
-   * Note: This legacy method has been removed. Use updateRoutes instead.
-   */
-  public async updateDomainConfigs(): Promise<void> {
-    logger.log('warn', 'Method updateDomainConfigs() is deprecated. Use updateRoutes() instead.');
-    throw new Error('updateDomainConfigs() is deprecated - use updateRoutes() instead');
+    logger.log('info', 'SmartProxy started (Rust engine)', { component: 'smart-proxy' });
   }
-  
+
   /**
-   * Verify the challenge route has been properly removed from routes
+   * Stop the proxy.
    */
-  private async verifyChallengeRouteRemoved(): Promise<void> {
-    const maxRetries = 10;
-    const retryDelay = 100; // milliseconds
-    
-    for (let i = 0; i < maxRetries; i++) {
-      // Check if the challenge route is still in the active routes
-      const challengeRouteExists = this.settings.routes.some(r => r.name === 'acme-challenge');
-      
-      if (!challengeRouteExists) {
-        try {
-          logger.log('info', 'Challenge route successfully removed from routes');
-        } catch (error) {
-          // Silently handle logging errors
-          console.log('[INFO] Challenge route successfully removed from routes');
-        }
-        return;
-      }
-      
-      // Wait before retrying
-      await plugins.smartdelay.delayFor(retryDelay);
-    }
-    
-    const error = `Failed to verify challenge route removal after ${maxRetries} attempts`;
+  public async stop(): Promise<void> {
+    logger.log('info', 'SmartProxy shutting down...', { component: 'smart-proxy' });
+    this.stopping = true;
+
+    // Stop metrics polling
+    this.metricsAdapter.stopPolling();
+
+    // Remove exit listener before killing to avoid spurious error events
+    this.bridge.removeAllListeners('exit');
+
+    // Stop Rust proxy
     try {
-      logger.log('error', error);
-    } catch (logError) {
-      // Silently handle logging errors
-      console.log(`[ERROR] ${error}`);
+      await this.bridge.stopProxy();
+    } catch {
+      // Ignore if already stopped
+    }
+    this.bridge.kill();
+
+    // Stop socket handler relay
+    if (this.socketHandlerServer) {
+      await this.socketHandlerServer.stop();
+      this.socketHandlerServer = null;
     }
-    throw new Error(error);
+
+    logger.log('info', 'SmartProxy shutdown complete.', { component: 'smart-proxy' });
   }
-  
+
   /**
-   * Update routes with new configuration
-   *
-   * This method replaces the current route configuration with the provided routes.
-   * It also provisions certificates for routes that require TLS termination and have
-   * `certificate: 'auto'` set in their TLS configuration.
-   *
-   * @param newRoutes Array of route configurations to use
-   *
-   * Example:
-   * ```ts
-   * proxy.updateRoutes([
-   *   {
-   *     match: { ports: 443, domains: 'secure.example.com' },
-   *     action: {
-   *       type: 'forward',
-   *       target: { host: '10.0.0.1', port: 8443 },
-   *       tls: { mode: 'terminate', certificate: 'auto' }
-   *     }
-   *   }
-   * ]);
-   * ```
+   * Update routes atomically.
    */
   public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
     return this.routeUpdateLock.runExclusive(async () => {
-      try {
-        logger.log('info', `Updating routes (${newRoutes.length} routes)`, { 
-          routeCount: newRoutes.length, 
-          component: 'smart-proxy' 
-        });
-      } catch (error) {
-        // Silently handle logging errors
-        console.log(`[INFO] Updating routes (${newRoutes.length} routes)`);
+      // Validate
+      const validation = RouteValidator.validateRoutes(newRoutes);
+      if (!validation.valid) {
+        RouteValidator.logValidationErrors(validation.errors);
+        throw new Error(`Route validation failed: ${validation.errors.size} route(s) have errors`);
       }
 
-      // Update route orchestrator dependencies if cert manager changed
-      if (this.certManager && !this.routeOrchestrator.getCertManager()) {
-        this.routeOrchestrator.setCertManager(this.certManager);
-      }
-      
-      // Delegate the complex route update logic to RouteOrchestrator
-      const updateResult = await this.routeOrchestrator.updateRoutes(
-        this.settings.routes,
-        newRoutes,
-        {
-          acmePort: this.settings.acme?.port || 80,
-          acmeOptions: this.certManager?.getAcmeOptions(),
-          acmeState: this.certManager?.getState(),
-          globalChallengeRouteActive: this.globalChallengeRouteActive,
-          createCertificateManager: this.createCertificateManager.bind(this),
-          verifyChallengeRouteRemoved: this.verifyChallengeRouteRemoved.bind(this)
-        }
+      // Preprocess for Rust
+      const rustRoutes = this.preprocessor.preprocessForRust(newRoutes);
+
+      // Send to Rust
+      await this.bridge.updateRoutes(rustRoutes);
+
+      // Update local route manager
+      this.routeManager.updateRoutes(newRoutes);
+
+      // Update socket handler relay if handler routes changed
+      const hasHandlerRoutes = newRoutes.some(
+        (r) =>
+          (r.action.type === 'socket-handler' && r.action.socketHandler) ||
+          r.action.targets?.some((t) => typeof t.host === 'function' || typeof t.port === 'function')
       );
-      
-      // Update settings with the new routes
-      this.settings.routes = newRoutes;
-      
-      // Update global state from orchestrator results
-      this.globalChallengeRouteActive = updateResult.newChallengeRouteActive;
-      
-      // Update port usage map from orchestrator
-      this.portUsageMap = updateResult.portUsageMap;
-      
-      // If certificate manager was recreated, update our reference
-      if (updateResult.newCertManager) {
-        this.certManager = updateResult.newCertManager;
-        // Update the orchestrator's reference too
-        this.routeOrchestrator.setCertManager(this.certManager);
+
+      if (hasHandlerRoutes && !this.socketHandlerServer) {
+        this.socketHandlerServer = new SocketHandlerServer(this.preprocessor);
+        await this.socketHandlerServer.start();
+        await this.bridge.setSocketHandlerRelay(this.socketHandlerServer.getSocketPath());
+      } else if (!hasHandlerRoutes && this.socketHandlerServer) {
+        await this.socketHandlerServer.stop();
+        this.socketHandlerServer = null;
       }
+
+      // Update stored routes
+      this.settings.routes = newRoutes;
+
+      // Handle cert provisioning for new routes
+      await this.provisionCertificatesViaCallback();
+
+      logger.log('info', `Routes updated (${newRoutes.length} routes)`, { component: 'smart-proxy' });
     });
   }
-  
+
   /**
-   * Manually provision a certificate for a route
+   * Provision a certificate for a named route.
    */
   public async provisionCertificate(routeName: string): Promise<void> {
-    if (!this.certManager) {
-      throw new Error('Certificate manager not initialized');
-    }
-    
-    const route = this.settings.routes.find(r => r.name === routeName);
-    if (!route) {
-      throw new Error(`Route ${routeName} not found`);
-    }
-    
-    await this.certManager.provisionCertificate(route);
+    await this.bridge.provisionCertificate(routeName);
   }
 
-  // Port usage tracking methods moved to RouteOrchestrator
-  
   /**
-   * Force renewal of a certificate
+   * Force renewal of a certificate.
    */
   public async renewCertificate(routeName: string): Promise<void> {
-    if (!this.certManager) {
-      throw new Error('Certificate manager not initialized');
-    }
-    
-    await this.certManager.renewCertificate(routeName);
+    await this.bridge.renewCertificate(routeName);
   }
-  
+
   /**
-   * Get certificate status for a route
+   * Get certificate status for a route (async - calls Rust).
    */
-  public getCertificateStatus(routeName: string): ICertStatus | undefined {
-    if (!this.certManager) {
-      return undefined;
-    }
-    
-    return this.certManager.getCertificateStatus(routeName);
+  public async getCertificateStatus(routeName: string): Promise<any> {
+    return this.bridge.getCertificateStatus(routeName);
   }
-  
+
   /**
-   * Get proxy metrics with clean API
-   * 
-   * @returns IMetrics interface with grouped metrics methods
+   * Get the metrics interface.
    */
   public getMetrics(): IMetrics {
-    return this.metricsCollector;
+    return this.metricsAdapter;
   }
-  
+
   /**
-   * Validates if a domain name is valid for certificate issuance
+   * Get statistics (async - calls Rust).
    */
-  private isValidDomain(domain: string): boolean {
-    // Very basic domain validation
-    if (!domain || domain.length === 0) {
-      return false;
-    }
-    
-    // Check for wildcard domains (they can't get ACME certs)
-    if (domain.includes('*')) {
-      logger.log('warn', `Wildcard domains like "${domain}" are not supported for automatic ACME certificates`, { domain, component: 'certificate-manager' });
-      return false;
-    }
-    
-    // Check if domain has at least one dot and no invalid characters
-    const validDomainRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
-    if (!validDomainRegex.test(domain)) {
-      logger.log('warn', `Domain "${domain}" has invalid format for certificate issuance`, { domain, component: 'certificate-manager' });
-      return false;
-    }
-    
-    return true;
+  public async getStatistics(): Promise<any> {
+    return this.bridge.getStatistics();
   }
-  
+
   /**
-   * Add a new listening port without changing the route configuration
-   *
-   * This allows you to add a port listener without updating routes.
-   * Useful for preparing to listen on a port before adding routes for it.
-   *
-   * @param port The port to start listening on
-   * @returns Promise that resolves when the port is listening
+   * Add a listening port at runtime.
    */
   public async addListeningPort(port: number): Promise<void> {
-    return this.portManager.addPort(port);
+    await this.bridge.addListeningPort(port);
   }
 
   /**
-   * Stop listening on a specific port without changing the route configuration
-   *
-   * This allows you to stop a port listener without updating routes.
-   * Useful for temporary maintenance or port changes.
-   *
-   * @param port The port to stop listening on
-   * @returns Promise that resolves when the port is closed
+   * Remove a listening port at runtime.
    */
   public async removeListeningPort(port: number): Promise<void> {
-    return this.portManager.removePort(port);
+    await this.bridge.removeListeningPort(port);
   }
 
   /**
-   * Get a list of all ports currently being listened on
-   *
-   * @returns Array of port numbers
+   * Get all currently listening ports (async - calls Rust).
    */
-  public getListeningPorts(): number[] {
-    return this.portManager.getListeningPorts();
+  public async getListeningPorts(): Promise<number[]> {
+    if (!this.bridge.running) return [];
+    return this.bridge.getListeningPorts();
   }
 
   /**
-   * Get statistics about current connections
-   */
-  public getStatistics(): any {
-    const connectionRecords = this.connectionManager.getConnections();
-    const terminationStats = this.connectionManager.getTerminationStats();
-    
-    let tlsConnections = 0;
-    let nonTlsConnections = 0;
-    let keepAliveConnections = 0;
-    let httpProxyConnections = 0;
-    
-    // Analyze active connections
-    for (const record of connectionRecords.values()) {
-      if (record.isTLS) tlsConnections++;
-      else nonTlsConnections++;
-      if (record.hasKeepAlive) keepAliveConnections++;
-      if (record.usingNetworkProxy) httpProxyConnections++;
-    }
-    
-    return {
-      activeConnections: connectionRecords.size,
-      tlsConnections,
-      nonTlsConnections,
-      keepAliveConnections,
-      httpProxyConnections,
-      terminationStats,
-      acmeEnabled: !!this.certManager,
-      port80HandlerPort: this.certManager ? 80 : null,
-      routeCount: this.settings.routes.length,
-      activePorts: this.portManager.getListeningPorts().length,
-      listeningPorts: this.portManager.getListeningPorts()
-    };
-  }
-  
-  /**
-   * Get a list of eligible domains for ACME certificates
+   * Get eligible domains for ACME certificates (sync - reads local routes).
    */
   public getEligibleDomainsForCertificates(): string[] {
     const domains: string[] = [];
-    
-    // Get domains from routes
-    const routes = this.settings.routes || [];
-    
-    for (const route of routes) {
+    for (const route of this.settings.routes || []) {
       if (!route.match.domains) continue;
-      
-      // Skip routes without TLS termination or auto certificates
-      if (route.action.type !== 'forward' || 
-          !route.action.tls || 
-          route.action.tls.mode === 'passthrough' || 
-          route.action.tls.certificate !== 'auto') continue;
-      
-      const routeDomains = Array.isArray(route.match.domains) 
-        ? route.match.domains 
-        : [route.match.domains];
-      
-      // Skip domains that can't be used with ACME
-      const eligibleDomains = routeDomains.filter(domain => 
-        !domain.includes('*') && this.isValidDomain(domain)
-      );
-      
-      domains.push(...eligibleDomains);
+      if (
+        route.action.type !== 'forward' ||
+        !route.action.tls ||
+        route.action.tls.mode === 'passthrough' ||
+        route.action.tls.certificate !== 'auto'
+      )
+        continue;
+
+      const routeDomains = Array.isArray(route.match.domains) ? route.match.domains : [route.match.domains];
+      const eligible = routeDomains.filter((d) => !d.includes('*') && this.isValidDomain(d));
+      domains.push(...eligible);
     }
-    
-    // Legacy mode is no longer supported
-    
     return domains;
   }
-  
+
   /**
-   * Get NFTables status
+   * Get NFTables status (async - calls Rust).
    */
   public async getNfTablesStatus(): Promise<Record<string, any>> {
-    return this.nftablesManager.getStatus();
+    return this.bridge.getNftablesStatus();
   }
-  
+
+  // --- Private helpers ---
+
   /**
-   * Validate ACME configuration
+   * Build the Rust configuration object from TS settings.
    */
-  private validateAcmeConfiguration(): string[] {
-    const warnings: string[] = [];
-    
-    // Check for routes with certificate: 'auto'
-    const autoRoutes = this.settings.routes.filter(r => 
-      r.action.tls?.certificate === 'auto'
-    );
-    
-    if (autoRoutes.length === 0) {
-      return warnings;
-    }
-    
-    // Check if we have ACME email configuration
-    const hasTopLevelEmail = this.settings.acme?.email;
-    const routesWithEmail = autoRoutes.filter(r => r.action.tls?.acme?.email);
-    
-    if (!hasTopLevelEmail && routesWithEmail.length === 0) {
-      warnings.push(
-        'Routes with certificate: "auto" require ACME email configuration. ' +
-        'Add email to either top-level "acme" config or individual route\'s "tls.acme" config.'
-      );
-    }
-    
-    // Check for port 80 availability for challenges
-    if (autoRoutes.length > 0) {
-      const challengePort = this.settings.acme?.port || 80;
-      const portsInUse = this.routeManager.getListeningPorts();
-      
-      if (!portsInUse.includes(challengePort)) {
-        warnings.push(
-          `Port ${challengePort} is not configured for any routes but is needed for ACME challenges. ` +
-          `Add a route listening on port ${challengePort} or ensure it's accessible for HTTP-01 challenges.`
-        );
-      }
-    }
-    
-    // Check for mismatched environments
-    if (this.settings.acme?.useProduction) {
-      const stagingRoutes = autoRoutes.filter(r => 
-        r.action.tls?.acme?.useProduction === false
-      );
-      if (stagingRoutes.length > 0) {
-        warnings.push(
-          'Top-level ACME uses production but some routes use staging. ' +
-          'Consider aligning environments to avoid certificate issues.'
-        );
-      }
-    }
-    
-    // Check for wildcard domains with auto certificates
-    for (const route of autoRoutes) {
-      const domains = Array.isArray(route.match.domains) 
-        ? route.match.domains 
-        : [route.match.domains];
-      
-      const wildcardDomains = domains.filter(d => d?.includes('*'));
-      if (wildcardDomains.length > 0) {
-        warnings.push(
-          `Route "${route.name}" has wildcard domain(s) ${wildcardDomains.join(', ')} ` +
-          'with certificate: "auto". Wildcard certificates require DNS-01 challenges, ' +
-          'which are not currently supported. Use static certificates instead.'
-        );
+  private buildRustConfig(routes: IRouteConfig[]): any {
+    return {
+      routes,
+      defaults: this.settings.defaults,
+      acme: this.settings.acme
+        ? {
+            enabled: this.settings.acme.enabled,
+            email: this.settings.acme.email,
+            useProduction: this.settings.acme.useProduction,
+            port: this.settings.acme.port,
+            renewThresholdDays: this.settings.acme.renewThresholdDays,
+            autoRenew: this.settings.acme.autoRenew,
+            certificateStore: this.settings.acme.certificateStore,
+            renewCheckIntervalHours: this.settings.acme.renewCheckIntervalHours,
+          }
+        : undefined,
+      connectionTimeout: this.settings.connectionTimeout,
+      initialDataTimeout: this.settings.initialDataTimeout,
+      socketTimeout: this.settings.socketTimeout,
+      maxConnectionLifetime: this.settings.maxConnectionLifetime,
+      gracefulShutdownTimeout: this.settings.gracefulShutdownTimeout,
+      maxConnectionsPerIp: this.settings.maxConnectionsPerIP,
+      connectionRateLimitPerMinute: this.settings.connectionRateLimitPerMinute,
+      keepAliveTreatment: this.settings.keepAliveTreatment,
+      keepAliveInactivityMultiplier: this.settings.keepAliveInactivityMultiplier,
+      extendedKeepAliveLifetime: this.settings.extendedKeepAliveLifetime,
+      acceptProxyProtocol: this.settings.acceptProxyProtocol,
+      sendProxyProtocol: this.settings.sendProxyProtocol,
+    };
+  }
+
+  /**
+   * For routes with certificate: 'auto', call certProvisionFunction if set.
+   * If the callback returns a cert object, load it into Rust.
+   * If it returns 'http01', let Rust handle ACME.
+   */
+  private async provisionCertificatesViaCallback(): Promise<void> {
+    const provisionFn = this.settings.certProvisionFunction;
+    if (!provisionFn) return;
+
+    for (const route of this.settings.routes) {
+      if (route.action.tls?.certificate !== 'auto') continue;
+      if (!route.match.domains) continue;
+
+      const domains = Array.isArray(route.match.domains) ? route.match.domains : [route.match.domains];
+
+      for (const domain of domains) {
+        if (domain.includes('*')) continue;
+
+        try {
+          const result: TSmartProxyCertProvisionObject = await provisionFn(domain);
+
+          if (result === 'http01') {
+            // Rust handles ACME for this domain
+            continue;
+          }
+
+          // Got a static cert object - load it into Rust
+          if (result && typeof result === 'object') {
+            const certObj = result as plugins.tsclass.network.ICert;
+            await this.bridge.loadCertificate(
+              domain,
+              certObj.publicKey,
+              certObj.privateKey,
+            );
+            logger.log('info', `Certificate loaded via provision function for ${domain}`, { component: 'smart-proxy' });
+          }
+        } catch (err: any) {
+          logger.log('warn', `certProvisionFunction failed for ${domain}: ${err.message}`, { component: 'smart-proxy' });
+
+          // Fallback to ACME if enabled
+          if (this.settings.certProvisionFallbackToAcme !== false) {
+            logger.log('info', `Falling back to ACME for ${domain}`, { component: 'smart-proxy' });
+          }
+        }
       }
     }
-    
-    return warnings;
   }
 
-}
+  private isValidDomain(domain: string): boolean {
+    if (!domain || domain.length === 0) return false;
+    if (domain.includes('*')) return false;
+    const validDomainRegex =
+      /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+    return validDomainRegex.test(domain);
+  }
+}