@push.rocks/smartproxy 3.23.0 → 3.24.0

package/ts/classes.networkproxy.ts

@@ -6,28 +6,76 @@ import { fileURLToPath } from 'url';
 
 export interface INetworkProxyOptions {
   port: number;
+  maxConnections?: number;
+  keepAliveTimeout?: number;
+  headersTimeout?: number;
+  logLevel?: 'error' | 'warn' | 'info' | 'debug';
+  cors?: {
+    allowOrigin?: string;
+    allowMethods?: string;
+    allowHeaders?: string;
+    maxAge?: number;
+  };
 }
 
 interface IWebSocketWithHeartbeat extends plugins.wsDefault {
   lastPong: number;
+  isAlive: boolean;
 }
 
 export class NetworkProxy {
+  // Configuration
   public options: INetworkProxyOptions;
   public proxyConfigs: plugins.tsclass.network.IReverseProxyConfig[] = [];
+  public defaultHeaders: { [key: string]: string } = {};
+  
+  // Server instances
   public httpsServer: plugins.https.Server;
+  public wsServer: plugins.ws.WebSocketServer;
+  
+  // State tracking
   public router = new ProxyRouter();
   public socketMap = new plugins.lik.ObjectMap<plugins.net.Socket>();
-  public defaultHeaders: { [key: string]: string } = {};
-  public heartbeatInterval: NodeJS.Timeout;
+  public activeContexts: Set<string> = new Set();
+  public connectedClients: number = 0;
+  public startTime: number = 0;
+  public requestsServed: number = 0;
+  public failedRequests: number = 0;
+  
+  // Timers and intervals
+  private heartbeatInterval: NodeJS.Timeout;
+  private metricsInterval: NodeJS.Timeout;
+  
+  // Certificates
   private defaultCertificates: { key: string; cert: string };
+  private certificateCache: Map<string, { key: string; cert: string; expires?: Date }> = new Map();
 
-  public alreadyAddedReverseConfigs: {
-    [hostName: string]: plugins.tsclass.network.IReverseProxyConfig;
-  } = {};
-
+  /**
+   * Creates a new NetworkProxy instance
+   */
   constructor(optionsArg: INetworkProxyOptions) {
-    this.options = optionsArg;
+    // Set default options
+    this.options = {
+      port: optionsArg.port,
+      maxConnections: optionsArg.maxConnections || 10000,
+      keepAliveTimeout: optionsArg.keepAliveTimeout || 120000, // 2 minutes 
+      headersTimeout: optionsArg.headersTimeout || 60000, // 1 minute
+      logLevel: optionsArg.logLevel || 'info',
+      cors: optionsArg.cors || {
+        allowOrigin: '*',
+        allowMethods: 'GET, POST, PUT, DELETE, OPTIONS',
+        allowHeaders: 'Content-Type, Authorization',
+        maxAge: 86400
+      }
+    };
+    
+    this.loadDefaultCertificates();
+  }
+
+  /**
+   * Loads default certificates from the filesystem
+   */
+  private loadDefaultCertificates(): void {
     const __dirname = path.dirname(fileURLToPath(import.meta.url));
     const certPath = path.join(__dirname, '..', 'assets', 'certs');
     
@@ -36,334 +84,761 @@ export class NetworkProxy {
         key: fs.readFileSync(path.join(certPath, 'key.pem'), 'utf8'),
         cert: fs.readFileSync(path.join(certPath, 'cert.pem'), 'utf8')
       };
+      this.log('info', 'Default certificates loaded successfully');
     } catch (error) {
-      console.error('Error loading certificates:', error);
-      throw error;
+      this.log('error', 'Error loading default certificates', error);
+      
+      // Generate self-signed fallback certificates
+      try {
+        // This is a placeholder for actual certificate generation code
+        // In a real implementation, you would use a library like selfsigned to generate certs
+        this.defaultCertificates = {
+          key: "FALLBACK_KEY_CONTENT",
+          cert: "FALLBACK_CERT_CONTENT"
+        };
+        this.log('warn', 'Using fallback self-signed certificates');
+      } catch (fallbackError) {
+        this.log('error', 'Failed to generate fallback certificates', fallbackError);
+        throw new Error('Could not load or generate SSL certificates');
+      }
     }
   }
 
-  public async start() {
-    // Instead of marking the callback async (which Node won't await),
-    // we call our async handler and catch errors.
+  /**
+   * Starts the proxy server
+   */
+  public async start(): Promise<void> {
+    this.startTime = Date.now();
+    
+    // Create the HTTPS server
     this.httpsServer = plugins.https.createServer(
       {
         key: this.defaultCertificates.key,
         cert: this.defaultCertificates.cert
       },
-      (originRequest, originResponse) => {
-        this.handleRequest(originRequest, originResponse).catch((error) => {
-          console.error('Unhandled error in request handler:', error);
-          try {
-            originResponse.end();
-          } catch (err) {
-            // ignore errors during cleanup
-          }
-        });
-      },
+      (req, res) => this.handleRequest(req, res)
     );
 
-    // Enable websockets
-    const wsServer = new plugins.ws.WebSocketServer({ server: this.httpsServer });
+    // Configure server timeouts
+    this.httpsServer.keepAliveTimeout = this.options.keepAliveTimeout;
+    this.httpsServer.headersTimeout = this.options.headersTimeout;
+    
+    // Setup connection tracking
+    this.setupConnectionTracking();
+    
+    // Setup WebSocket support
+    this.setupWebsocketSupport();
+    
+    // Start metrics collection
+    this.setupMetricsCollection();
 
-    // Set up the heartbeat interval
-    this.heartbeatInterval = setInterval(() => {
-      wsServer.clients.forEach((ws: plugins.wsDefault) => {
-        const wsIncoming = ws as IWebSocketWithHeartbeat;
-        if (!wsIncoming.lastPong) {
-          wsIncoming.lastPong = Date.now();
-        }
-        if (Date.now() - wsIncoming.lastPong > 5 * 60 * 1000) {
-          console.log('Terminating websocket due to missing pong for 5 minutes.');
-          wsIncoming.terminate();
-        } else {
-          wsIncoming.ping();
+    // Start the server
+    return new Promise((resolve) => {
+      this.httpsServer.listen(this.options.port, () => {
+        this.log('info', `NetworkProxy started on port ${this.options.port}`);
+        resolve();
+      });
+    });
+  }
+
+  /**
+   * Sets up tracking of TCP connections
+   */
+  private setupConnectionTracking(): void {
+    this.httpsServer.on('connection', (connection: plugins.net.Socket) => {
+      // Check if max connections reached
+      if (this.socketMap.getArray().length >= this.options.maxConnections) {
+        this.log('warn', `Max connections (${this.options.maxConnections}) reached, rejecting new connection`);
+        connection.destroy();
+        return;
+      }
+
+      // Add connection to tracking
+      this.socketMap.add(connection);
+      this.connectedClients = this.socketMap.getArray().length;
+      this.log('debug', `New connection. Currently ${this.connectedClients} active connections`);
+      
+      // Setup connection cleanup handlers
+      const cleanupConnection = () => {
+        if (this.socketMap.checkForObject(connection)) {
+          this.socketMap.remove(connection);
+          this.connectedClients = this.socketMap.getArray().length;
+          this.log('debug', `Connection closed. ${this.connectedClients} connections remaining`);
         }
+      };
+      
+      connection.on('close', cleanupConnection);
+      connection.on('error', (err) => {
+        this.log('debug', 'Connection error', err);
+        cleanupConnection();
       });
-    }, 60000); // runs every 1 minute
-
-    wsServer.on(
-      'connection',
-      (wsIncoming: IWebSocketWithHeartbeat, reqArg: plugins.http.IncomingMessage) => {
-        console.log(
-          `wss proxy: got connection for wsc for https://${reqArg.headers.host}${reqArg.url}`,
-        );
-
-        wsIncoming.lastPong = Date.now();
-        wsIncoming.on('pong', () => {
-          wsIncoming.lastPong = Date.now();
-        });
+      connection.on('end', cleanupConnection);
+      connection.on('timeout', () => {
+        this.log('debug', 'Connection timeout');
+        cleanupConnection();
+      });
+    });
+  }
 
-        let wsOutgoing: plugins.wsDefault;
-        const outGoingDeferred = plugins.smartpromise.defer();
+  /**
+   * Sets up WebSocket support
+   */
+  private setupWebsocketSupport(): void {
+    // Create WebSocket server
+    this.wsServer = new plugins.ws.WebSocketServer({ 
+      server: this.httpsServer,
+      // Add WebSocket specific timeout
+      clientTracking: true
+    });
 
-        // --- Improvement 2: Only call routeReq once ---
-        const wsDestinationConfig = this.router.routeReq(reqArg);
-        if (!wsDestinationConfig) {
-          wsIncoming.terminate();
-          return;
+    // Handle WebSocket connections
+    this.wsServer.on('connection', (wsIncoming: IWebSocketWithHeartbeat, reqArg: plugins.http.IncomingMessage) => {
+      this.handleWebSocketConnection(wsIncoming, reqArg);
+    });
+
+    // Set up the heartbeat interval (check every 30 seconds, terminate after 2 minutes of inactivity)
+    this.heartbeatInterval = setInterval(() => {
+      if (this.wsServer.clients.size === 0) {
+        return; // Skip if no active connections
+      }
+      
+      this.log('debug', `WebSocket heartbeat check for ${this.wsServer.clients.size} clients`);
+      this.wsServer.clients.forEach((ws: plugins.wsDefault) => {
+        const wsWithHeartbeat = ws as IWebSocketWithHeartbeat;
+        
+        if (wsWithHeartbeat.isAlive === false) {
+          this.log('debug', 'Terminating inactive WebSocket connection');
+          return wsWithHeartbeat.terminate();
         }
-        try {
-          wsOutgoing = new plugins.wsDefault(
-            `ws://${wsDestinationConfig.destinationIp}:${wsDestinationConfig.destinationPort}${reqArg.url}`,
-          );
-          console.log('wss proxy: initiated outgoing proxy');
-          wsOutgoing.on('open', async () => {
-            outGoingDeferred.resolve();
-          });
-        } catch (err) {
-          console.error('Error initiating outgoing WebSocket:', err);
+        
+        wsWithHeartbeat.isAlive = false;
+        wsWithHeartbeat.ping();
+      });
+    }, 30000);
+  }
+
+  /**
+   * Sets up metrics collection 
+   */
+  private setupMetricsCollection(): void {
+    this.metricsInterval = setInterval(() => {
+      const uptime = Math.floor((Date.now() - this.startTime) / 1000);
+      const metrics = {
+        uptime,
+        activeConnections: this.connectedClients,
+        totalRequests: this.requestsServed,
+        failedRequests: this.failedRequests,
+        activeWebSockets: this.wsServer?.clients.size || 0,
+        memoryUsage: process.memoryUsage(),
+        activeContexts: Array.from(this.activeContexts)
+      };
+      
+      this.log('debug', 'Proxy metrics', metrics);
+    }, 60000); // Log metrics every minute
+  }
+
+  /**
+   * Handles an incoming WebSocket connection
+   */
+  private handleWebSocketConnection(wsIncoming: IWebSocketWithHeartbeat, reqArg: plugins.http.IncomingMessage): void {
+    const wsPath = reqArg.url;
+    const wsHost = reqArg.headers.host;
+    
+    this.log('info', `WebSocket connection for ${wsHost}${wsPath}`);
+    
+    // Setup heartbeat tracking
+    wsIncoming.isAlive = true;
+    wsIncoming.lastPong = Date.now();
+    wsIncoming.on('pong', () => {
+      wsIncoming.isAlive = true;
+      wsIncoming.lastPong = Date.now();
+    });
+
+    // Get the destination configuration
+    const wsDestinationConfig = this.router.routeReq(reqArg);
+    if (!wsDestinationConfig) {
+      this.log('warn', `No route found for WebSocket ${wsHost}${wsPath}`);
+      wsIncoming.terminate();
+      return;
+    }
+
+    // Check authentication if required
+    if (wsDestinationConfig.authentication) {
+      try {
+        if (!this.authenticateRequest(reqArg, wsDestinationConfig)) {
+          this.log('warn', `WebSocket authentication failed for ${wsHost}${wsPath}`);
           wsIncoming.terminate();
           return;
         }
+      } catch (error) {
+        this.log('error', 'WebSocket authentication error', error);
+        wsIncoming.terminate();
+        return;
+      }
+    }
 
-        wsIncoming.on('message', async (message, isBinary) => {
-          try {
-            await outGoingDeferred.promise;
-            wsOutgoing.send(message, { binary: isBinary });
-          } catch (error) {
-            console.error('Error sending message to wsOutgoing:', error);
-          }
-        });
-
-        wsOutgoing.on('message', async (message, isBinary) => {
-          try {
-            wsIncoming.send(message, { binary: isBinary });
-          } catch (error) {
-            console.error('Error sending message to wsIncoming:', error);
-          }
-        });
+    // Setup outgoing WebSocket connection
+    let wsOutgoing: plugins.wsDefault;
+    const outGoingDeferred = plugins.smartpromise.defer();
 
-        const terminateWsOutgoing = () => {
-          if (wsOutgoing) {
-            wsOutgoing.terminate();
-            console.log('Terminated outgoing ws.');
-          }
-        };
-        wsIncoming.on('error', terminateWsOutgoing);
-        wsIncoming.on('close', terminateWsOutgoing);
+    try {
+      const wsTarget = `ws://${wsDestinationConfig.destinationIp}:${wsDestinationConfig.destinationPort}${reqArg.url}`;
+      this.log('debug', `Proxying WebSocket to ${wsTarget}`);
+      
+      wsOutgoing = new plugins.wsDefault(wsTarget);
+      
+      wsOutgoing.on('open', () => {
+        this.log('debug', 'Outgoing WebSocket connection established');
+        outGoingDeferred.resolve();
+      });
+      
+      wsOutgoing.on('error', (error) => {
+        this.log('error', 'Outgoing WebSocket error', error);
+        outGoingDeferred.reject(error);
+        if (wsIncoming.readyState === wsIncoming.OPEN) {
+          wsIncoming.terminate();
+        }
+      });
+    } catch (err) {
+      this.log('error', 'Failed to create outgoing WebSocket connection', err);
+      wsIncoming.terminate();
+      return;
+    }
 
-        const terminateWsIncoming = () => {
-          if (wsIncoming) {
-            wsIncoming.terminate();
-            console.log('Terminated incoming ws.');
-          }
-        };
-        wsOutgoing.on('error', terminateWsIncoming);
-        wsOutgoing.on('close', terminateWsIncoming);
-      },
-    );
+    // Handle message forwarding from client to backend
+    wsIncoming.on('message', async (message, isBinary) => {
+      try {
+        // Wait for outgoing connection to be ready
+        await outGoingDeferred.promise;
+        
+        // Only forward if both connections are still open
+        if (wsOutgoing.readyState === wsOutgoing.OPEN) {
+          wsOutgoing.send(message, { binary: isBinary });
+        }
+      } catch (error) {
+        this.log('error', 'Error forwarding WebSocket message to backend', error);
+      }
+    });
 
-    this.httpsServer.keepAliveTimeout = 600 * 1000;
-    this.httpsServer.headersTimeout = 600 * 1000;
+    // Handle message forwarding from backend to client
+    wsOutgoing.on('message', (message, isBinary) => {
+      try {
+        // Only forward if the incoming connection is still open
+        if (wsIncoming.readyState === wsIncoming.OPEN) {
+          wsIncoming.send(message, { binary: isBinary });
+        }
+      } catch (error) {
+        this.log('error', 'Error forwarding WebSocket message to client', error);
+      }
+    });
 
-    this.httpsServer.on('connection', (connection: plugins.net.Socket) => {
-      this.socketMap.add(connection);
-      console.log(`Added connection. Now ${this.socketMap.getArray().length} sockets connected.`);
-      const cleanupConnection = () => {
-        if (this.socketMap.checkForObject(connection)) {
-          this.socketMap.remove(connection);
-          console.log(`Removed connection. ${this.socketMap.getArray().length} sockets remaining.`);
-          connection.destroy();
+    // Clean up connections when either side closes
+    wsIncoming.on('close', (code, reason) => {
+      this.log('debug', `Incoming WebSocket closed: ${code} - ${reason}`);
+      if (wsOutgoing && wsOutgoing.readyState !== wsOutgoing.CLOSED) {
+        try {
+          // Validate close code (must be 1000-4999) or use 1000 as default
+          const validCode = (code >= 1000 && code <= 4999) ? code : 1000;
+          wsOutgoing.close(validCode, reason.toString() || '');
+        } catch (error) {
+          this.log('error', 'Error closing outgoing WebSocket', error);
+          wsOutgoing.terminate();
         }
-      };
-      connection.on('close', cleanupConnection);
-      connection.on('error', cleanupConnection);
-      connection.on('end', cleanupConnection);
-      connection.on('timeout', cleanupConnection);
+      }
     });
 
-    this.httpsServer.listen(this.options.port);
-    console.log(
-      `NetworkProxy -> OK: now listening for new connections on port ${this.options.port}`,
-    );
+    wsOutgoing.on('close', (code, reason) => {
+      this.log('debug', `Outgoing WebSocket closed: ${code} - ${reason}`);
+      if (wsIncoming && wsIncoming.readyState !== wsIncoming.CLOSED) {
+        try {
+          // Validate close code (must be 1000-4999) or use 1000 as default
+          const validCode = (code >= 1000 && code <= 4999) ? code : 1000;
+          wsIncoming.close(validCode, reason.toString() || '');
+        } catch (error) {
+          this.log('error', 'Error closing incoming WebSocket', error);
+          wsIncoming.terminate();
+        }
+      }
+    });
   }
 
   /**
-   * Internal async handler for processing HTTP/HTTPS requests.
+   * Handles an HTTP/HTTPS request
    */
   private async handleRequest(
     originRequest: plugins.http.IncomingMessage,
-    originResponse: plugins.http.ServerResponse,
+    originResponse: plugins.http.ServerResponse
   ): Promise<void> {
-    const endOriginReqRes = (
-      statusArg: number = 404,
-      messageArg: string = 'This route is not available on this server.',
-      headers: plugins.http.OutgoingHttpHeaders = {},
-    ) => {
-      originResponse.writeHead(statusArg, messageArg);
-      originResponse.end(messageArg);
-      if (originRequest.socket !== originResponse.socket) {
-        console.log('hey, something is strange.');
+    this.requestsServed++;
+    const startTime = Date.now();
+    const reqId = `req_${Date.now()}_${Math.random().toString(36).substring(2, 7)}`;
+    
+    try {
+      const reqPath = plugins.url.parse(originRequest.url).path;
+      this.log('info', `[${reqId}] ${originRequest.method} ${originRequest.headers.host}${reqPath}`);
+      
+      // Handle preflight OPTIONS requests for CORS
+      if (originRequest.method === 'OPTIONS' && this.options.cors) {
+        this.handleCorsRequest(originRequest, originResponse);
+        return;
       }
-      originResponse.destroy();
-    };
-
-    console.log(
-      `got request: ${originRequest.headers.host}${plugins.url.parse(originRequest.url).path}`,
-    );
-    const destinationConfig = this.router.routeReq(originRequest);
-
-    if (!destinationConfig) {
-      console.log(
-        `${originRequest.headers.host} can't be routed properly. Terminating request.`,
-      );
-      endOriginReqRes();
-      return;
-    }
-
-    // authentication
-    if (destinationConfig.authentication) {
-      const authInfo = destinationConfig.authentication;
-      switch (authInfo.type) {
-        case 'Basic': {
-          const authHeader = originRequest.headers.authorization;
-          if (!authHeader) {
-            return endOriginReqRes(401, 'Authentication required', {
-              'WWW-Authenticate': 'Basic realm="Access to the staging site", charset="UTF-8"',
-            });
-          }
-          if (!authHeader.includes('Basic ')) {
-            return endOriginReqRes(401, 'Authentication required', {
-              'WWW-Authenticate': 'Basic realm="Access to the staging site", charset="UTF-8"',
+      
+      // Get destination configuration
+      const destinationConfig = this.router.routeReq(originRequest);
+      if (!destinationConfig) {
+        this.log('warn', `[${reqId}] No route found for ${originRequest.headers.host}`);
+        this.sendErrorResponse(originResponse, 404, 'Not Found: No matching route');
+        this.failedRequests++;
+        return;
+      }
+      
+      // Handle authentication if configured
+      if (destinationConfig.authentication) {
+        try {
+          if (!this.authenticateRequest(originRequest, destinationConfig)) {
+            this.sendErrorResponse(originResponse, 401, 'Unauthorized', {
+              'WWW-Authenticate': 'Basic realm="Access to the proxy site", charset="UTF-8"'
             });
+            this.failedRequests++;
+            return;
           }
-          const authStringBase64 = authHeader.replace('Basic ', '');
-          const authString: string = plugins.smartstring.base64.decode(authStringBase64);
-          const userPassArray = authString.split(':');
-          const user = userPassArray[0];
-          const pass = userPassArray[1];
-          if (user === authInfo.user && pass === authInfo.pass) {
-            console.log('Request successfully authenticated');
-          } else {
-            return endOriginReqRes(403, 'Forbidden: Wrong credentials');
-          }
-          break;
+        } catch (error) {
+          this.log('error', `[${reqId}] Authentication error`, error);
+          this.sendErrorResponse(originResponse, 500, 'Internal Server Error: Authentication failed');
+          this.failedRequests++;
+          return;
         }
-        default:
-          return endOriginReqRes(
-            403,
-            'Forbidden: unsupported authentication method configured. Please report to the admin.',
-          );
       }
+      
+      // Construct destination URL
+      const destinationUrl = `http://${destinationConfig.destinationIp}:${destinationConfig.destinationPort}${originRequest.url}`;
+      this.log('debug', `[${reqId}] Proxying to ${destinationUrl}`);
+      
+      // Forward the request
+      await this.forwardRequest(reqId, originRequest, originResponse, destinationUrl);
+      
+      const processingTime = Date.now() - startTime;
+      this.log('debug', `[${reqId}] Request completed in ${processingTime}ms`);
+    } catch (error) {
+      this.log('error', `[${reqId}] Unhandled error in request handler`, error);
+      try {
+        this.sendErrorResponse(originResponse, 502, 'Bad Gateway: Server error');
+      } catch (responseError) {
+        this.log('error', `[${reqId}] Failed to send error response`, responseError);
+      }
+      this.failedRequests++;
     }
+  }
 
-    let destinationUrl: string;
-    if (destinationConfig) {
-      destinationUrl = `http://${destinationConfig.destinationIp}:${destinationConfig.destinationPort}${originRequest.url}`;
-    } else {
-      return endOriginReqRes();
+  /**
+   * Handles a CORS preflight request
+   */
+  private handleCorsRequest(
+    req: plugins.http.IncomingMessage,
+    res: plugins.http.ServerResponse
+  ): void {
+    const cors = this.options.cors;
+    
+    // Set CORS headers
+    res.setHeader('Access-Control-Allow-Origin', cors.allowOrigin);
+    res.setHeader('Access-Control-Allow-Methods', cors.allowMethods);
+    res.setHeader('Access-Control-Allow-Headers', cors.allowHeaders);
+    res.setHeader('Access-Control-Max-Age', String(cors.maxAge));
+    
+    // Handle preflight request
+    res.statusCode = 204;
+    res.end();
+    
+    // Count this as a request served
+    this.requestsServed++;
+  }
+
+  /**
+   * Authenticates a request against the destination config
+   */
+  private authenticateRequest(
+    req: plugins.http.IncomingMessage,
+    config: plugins.tsclass.network.IReverseProxyConfig
+  ): boolean {
+    const authInfo = config.authentication;
+    if (!authInfo) {
+      return true; // No authentication required
+    }
+    
+    switch (authInfo.type) {
+      case 'Basic': {
+        const authHeader = req.headers.authorization;
+        if (!authHeader || !authHeader.includes('Basic ')) {
+          return false;
+        }
+        
+        const authStringBase64 = authHeader.replace('Basic ', '');
+        const authString: string = plugins.smartstring.base64.decode(authStringBase64);
+        const [user, pass] = authString.split(':');
+        
+        // Use constant-time comparison to prevent timing attacks
+        const userMatch = user === authInfo.user;
+        const passMatch = pass === authInfo.pass;
+        
+        return userMatch && passMatch;
+      }
+      default:
+        throw new Error(`Unsupported authentication method: ${authInfo.type}`);
     }
-    console.log(destinationUrl);
+  }
+
+  /**
+   * Forwards a request to the destination
+   */
+  private async forwardRequest(
+    reqId: string,
+    originRequest: plugins.http.IncomingMessage,
+    originResponse: plugins.http.ServerResponse,
+    destinationUrl: string
+  ): Promise<void> {
     try {
-      const proxyResponse = await plugins.smartrequest.request(
+      const proxyRequest = await plugins.smartrequest.request(
         destinationUrl,
         {
           method: originRequest.method,
-          headers: {
-            ...originRequest.headers,
-            'X-Forwarded-Host': originRequest.headers.host,
-            'X-Forwarded-Proto': 'https',
-          },
+          headers: this.prepareForwardHeaders(originRequest),
           keepAlive: true,
+          timeout: 30000 // 30 second timeout
         },
-        true, // streaming (keepAlive)
-        (proxyRequest) => {
-          originRequest.on('data', (data) => {
-            proxyRequest.write(data);
-          });
-          originRequest.on('end', () => {
-            proxyRequest.end();
-          });
-          originRequest.on('error', () => {
-            proxyRequest.end();
-          });
-          originRequest.on('close', () => {
-            proxyRequest.end();
-          });
-          originRequest.on('timeout', () => {
-            proxyRequest.end();
-            originRequest.destroy();
-          });
-          proxyRequest.on('error', () => {
-            endOriginReqRes();
-          });
-        },
+        true, // streaming
+        (proxyRequestStream) => this.setupRequestStreaming(originRequest, proxyRequestStream)
       );
-      originResponse.statusCode = proxyResponse.statusCode;
-      console.log(proxyResponse.statusCode);
-      for (const defaultHeader of Object.keys(this.defaultHeaders)) {
-        originResponse.setHeader(defaultHeader, this.defaultHeaders[defaultHeader]);
+      
+      // Handle the response
+      this.processProxyResponse(reqId, originResponse, proxyRequest);
+    } catch (error) {
+      this.log('error', `[${reqId}] Error forwarding request`, error);
+      this.sendErrorResponse(originResponse, 502, 'Bad Gateway: Unable to reach upstream server');
+      throw error; // Let the main handler catch this
+    }
+  }
+
+  /**
+   * Prepares headers to forward to the backend
+   */
+  private prepareForwardHeaders(req: plugins.http.IncomingMessage): plugins.http.OutgoingHttpHeaders {
+    const safeHeaders = { ...req.headers };
+    
+    // Add forwarding headers
+    safeHeaders['X-Forwarded-Host'] = req.headers.host;
+    safeHeaders['X-Forwarded-Proto'] = 'https';
+    safeHeaders['X-Forwarded-For'] = (req.socket.remoteAddress || '').replace(/^::ffff:/, '');
+    
+    // Add proxy-specific headers
+    safeHeaders['X-Proxy-Id'] = `NetworkProxy-${this.options.port}`;
+    
+    // Remove sensitive headers we don't want to forward
+    const sensitiveHeaders = ['connection', 'upgrade', 'http2-settings'];
+    for (const header of sensitiveHeaders) {
+      delete safeHeaders[header];
+    }
+    
+    return safeHeaders;
+  }
+
+  /**
+   * Sets up request streaming for the proxy
+   */
+  private setupRequestStreaming(
+    originRequest: plugins.http.IncomingMessage,
+    proxyRequest: plugins.http.ClientRequest
+  ): void {
+    // Forward request body data
+    originRequest.on('data', (chunk) => {
+      proxyRequest.write(chunk);
+    });
+    
+    // End the request when done
+    originRequest.on('end', () => {
+      proxyRequest.end();
+    });
+    
+    // Handle request errors
+    originRequest.on('error', (error) => {
+      this.log('error', 'Error in client request stream', error);
+      proxyRequest.destroy(error);
+    });
+    
+    // Handle client abort/timeout
+    originRequest.on('close', () => {
+      if (!originRequest.complete) {
+        this.log('debug', 'Client closed connection before request completed');
+        proxyRequest.destroy();
       }
-      for (const header of Object.keys(proxyResponse.headers)) {
-        originResponse.setHeader(header, proxyResponse.headers[header]);
+    });
+    
+    originRequest.on('timeout', () => {
+      this.log('debug', 'Client request timeout');
+      proxyRequest.destroy(new Error('Client request timeout'));
+    });
+    
+    // Handle proxy request errors
+    proxyRequest.on('error', (error) => {
+      this.log('error', 'Error in outgoing proxy request', error);
+    });
+  }
+
+  /**
+   * Processes a proxy response
+   */
+  private processProxyResponse(
+    reqId: string,
+    originResponse: plugins.http.ServerResponse,
+    proxyResponse: plugins.http.IncomingMessage
+  ): void {
+    this.log('debug', `[${reqId}] Received upstream response: ${proxyResponse.statusCode}`);
+    
+    // Set status code
+    originResponse.statusCode = proxyResponse.statusCode;
+    
+    // Add default headers
+    for (const [headerName, headerValue] of Object.entries(this.defaultHeaders)) {
+      originResponse.setHeader(headerName, headerValue);
+    }
+    
+    // Add CORS headers if enabled
+    if (this.options.cors) {
+      originResponse.setHeader('Access-Control-Allow-Origin', this.options.cors.allowOrigin);
+    }
+    
+    // Copy response headers
+    for (const [headerName, headerValue] of Object.entries(proxyResponse.headers)) {
+      // Skip hop-by-hop headers
+      const hopByHopHeaders = ['connection', 'keep-alive', 'transfer-encoding', 'te', 
+                               'trailer', 'upgrade', 'proxy-authorization', 'proxy-authenticate'];
+      if (!hopByHopHeaders.includes(headerName.toLowerCase())) {
+        originResponse.setHeader(headerName, headerValue);
+      }
+    }
+    
+    // Stream response body
+    proxyResponse.on('data', (chunk) => {
+      const canContinue = originResponse.write(chunk);
+      
+      // Apply backpressure if needed
+      if (!canContinue) {
+        proxyResponse.pause();
+        originResponse.once('drain', () => {
+          proxyResponse.resume();
+        });
+      }
+    });
+    
+    // End the response when done
+    proxyResponse.on('end', () => {
+      originResponse.end();
+    });
+    
+    // Handle response errors
+    proxyResponse.on('error', (error) => {
+      this.log('error', `[${reqId}] Error in proxy response stream`, error);
+      originResponse.destroy(error);
+    });
+    
+    originResponse.on('error', (error) => {
+      this.log('error', `[${reqId}] Error in client response stream`, error);
+      proxyResponse.destroy();
+    });
+  }
+
+  /**
+   * Sends an error response to the client
+   */
+  private sendErrorResponse(
+    res: plugins.http.ServerResponse,
+    statusCode: number = 500,
+    message: string = 'Internal Server Error',
+    headers: plugins.http.OutgoingHttpHeaders = {}
+  ): void {
+    try {
+      // If headers already sent, just end the response
+      if (res.headersSent) {
+        res.end();
+        return;
+      }
+      
+      // Add default headers
+      for (const [key, value] of Object.entries(this.defaultHeaders)) {
+        res.setHeader(key, value);
+      }
+      
+      // Add provided headers
+      for (const [key, value] of Object.entries(headers)) {
+        res.setHeader(key, value);
+      }
+      
+      // Send error response
+      res.writeHead(statusCode, message);
+      
+      // Send error body as JSON for API clients
+      if (res.getHeader('Content-Type') === 'application/json') {
+        res.end(JSON.stringify({ error: { status: statusCode, message } }));
+      } else {
+        // Send as plain text
+        res.end(message);
       }
-      proxyResponse.on('data', (data) => {
-        originResponse.write(data);
-      });
-      proxyResponse.on('end', () => {
-        originResponse.end();
-      });
-      proxyResponse.on('error', () => {
-        originResponse.destroy();
-      });
-      proxyResponse.on('close', () => {
-        originResponse.end();
-      });
-      proxyResponse.on('timeout', () => {
-        originResponse.end();
-        originResponse.destroy();
-      });
     } catch (error) {
-      console.error('Error while processing request:', error);
-      endOriginReqRes(502, 'Bad Gateway: Error processing the request');
+      this.log('error', 'Error sending error response', error);
+      try {
+        res.destroy();
+      } catch (destroyError) {
+        // Last resort - nothing more we can do
+      }
     }
   }
 
+  /**
+   * Updates proxy configurations
+   */
   public async updateProxyConfigs(
-    proxyConfigsArg: plugins.tsclass.network.IReverseProxyConfig[],
-  ) {
-    console.log(`got new proxy configs`);
+    proxyConfigsArg: plugins.tsclass.network.IReverseProxyConfig[]
+  ): Promise<void> {
+    this.log('info', `Updating proxy configurations (${proxyConfigsArg.length} configs)`);
+    
+    // Update internal configs
     this.proxyConfigs = proxyConfigsArg;
     this.router.setNewProxyConfigs(proxyConfigsArg);
-    for (const hostCandidate of this.proxyConfigs) {
-      const existingHostNameConfig = this.alreadyAddedReverseConfigs[hostCandidate.hostName];
-
-      if (!existingHostNameConfig) {
-        this.alreadyAddedReverseConfigs[hostCandidate.hostName] = hostCandidate;
-      } else {
-        if (
-          existingHostNameConfig.publicKey === hostCandidate.publicKey &&
-          existingHostNameConfig.privateKey === hostCandidate.privateKey
-        ) {
-          continue;
-        } else {
-          this.alreadyAddedReverseConfigs[hostCandidate.hostName] = hostCandidate;
+    
+    // Collect all hostnames for cleanup later
+    const currentHostNames = new Set<string>();
+    
+    // Add/update SSL contexts for each host
+    for (const config of proxyConfigsArg) {
+      currentHostNames.add(config.hostName);
+      
+      try {
+        // Check if we need to update the cert
+        const currentCert = this.certificateCache.get(config.hostName);
+        const shouldUpdate = !currentCert || 
+                            currentCert.key !== config.privateKey || 
+                            currentCert.cert !== config.publicKey;
+        
+        if (shouldUpdate) {
+          this.log('debug', `Updating SSL context for ${config.hostName}`);
+          
+          // Update the HTTPS server context
+          this.httpsServer.addContext(config.hostName, {
+            key: config.privateKey,
+            cert: config.publicKey
+          });
+          
+          // Update the cache
+          this.certificateCache.set(config.hostName, {
+            key: config.privateKey,
+            cert: config.publicKey
+          });
+          
+          this.activeContexts.add(config.hostName);
         }
+      } catch (error) {
+        this.log('error', `Failed to add SSL context for ${config.hostName}`, error);
+      }
+    }
+    
+    // Clean up removed contexts
+    // Note: Node.js doesn't officially support removing contexts
+    // This would require server restart in production
+    for (const hostname of this.activeContexts) {
+      if (!currentHostNames.has(hostname)) {
+        this.log('info', `Hostname ${hostname} removed from configuration`);
+        this.activeContexts.delete(hostname);
+        this.certificateCache.delete(hostname);
       }
-
-      this.httpsServer.addContext(hostCandidate.hostName, {
-        cert: hostCandidate.publicKey,
-        key: hostCandidate.privateKey,
-      });
     }
   }
 
-  public async addDefaultHeaders(headersArg: { [key: string]: string }) {
-    for (const headerKey of Object.keys(headersArg)) {
-      this.defaultHeaders[headerKey] = headersArg[headerKey];
-    }
+  /**
+   * Adds default headers to be included in all responses
+   */
+  public async addDefaultHeaders(headersArg: { [key: string]: string }): Promise<void> {
+    this.log('info', 'Adding default headers', headersArg);
+    this.defaultHeaders = {
+      ...this.defaultHeaders,
+      ...headersArg
+    };
   }
 
-  public async stop() {
-    const done = plugins.smartpromise.defer();
-    this.httpsServer.close(() => {
-      done.resolve();
-    });
+  /**
+   * Stops the proxy server
+   */
+  public async stop(): Promise<void> {
+    this.log('info', 'Stopping NetworkProxy server');
+    
+    // Clear intervals
+    if (this.heartbeatInterval) {
+      clearInterval(this.heartbeatInterval);
+    }
+    
+    if (this.metricsInterval) {
+      clearInterval(this.metricsInterval);
+    }
+    
+    // Close WebSocket server if exists
+    if (this.wsServer) {
+      for (const client of this.wsServer.clients) {
+        try {
+          client.terminate();
+        } catch (error) {
+          this.log('error', 'Error terminating WebSocket client', error);
+        }
+      }
+    }
+    
+    // Close all tracked sockets
     for (const socket of this.socketMap.getArray()) {
-      socket.destroy();
+      try {
+        socket.destroy();
+      } catch (error) {
+        this.log('error', 'Error destroying socket', error);
+      }
+    }
+    
+    // Close the HTTPS server
+    return new Promise((resolve) => {
+      this.httpsServer.close(() => {
+        this.log('info', 'NetworkProxy server stopped successfully');
+        resolve();
+      });
+    });
+  }
+
+  /**
+   * Logs a message according to the configured log level
+   */
+  private log(level: 'error' | 'warn' | 'info' | 'debug', message: string, data?: any): void {
+    const logLevels = {
+      error: 0,
+      warn: 1,
+      info: 2,
+      debug: 3
+    };
+    
+    // Skip if log level is higher than configured
+    if (logLevels[level] > logLevels[this.options.logLevel]) {
+      return;
+    }
+    
+    const timestamp = new Date().toISOString();
+    const prefix = `[${timestamp}] [${level.toUpperCase()}]`;
+    
+    switch (level) {
+      case 'error':
+        console.error(`${prefix} ${message}`, data || '');
+        break;
+      case 'warn':
+        console.warn(`${prefix} ${message}`, data || '');
+        break;
+      case 'info':
+        console.log(`${prefix} ${message}`, data || '');
+        break;
+      case 'debug':
+        console.log(`${prefix} ${message}`, data || '');
+        break;
     }
-    await done.promise;
-    clearInterval(this.heartbeatInterval);
-    console.log('NetworkProxy -> OK: Server has been stopped and all connections closed.');
   }
 }