@push.rocks/smartproxy 3.41.8 → 4.1.0

package/dist_ts/classes.pp.timeoutmanager.d.ts

@@ -0,0 +1,47 @@
+import type { IConnectionRecord, IPortProxySettings } from './classes.pp.interfaces.js';
+/**
+ * Manages timeouts and inactivity tracking for connections
+ */
+export declare class TimeoutManager {
+    private settings;
+    constructor(settings: IPortProxySettings);
+    /**
+     * Ensure timeout values don't exceed Node.js max safe integer
+     */
+    ensureSafeTimeout(timeout: number): number;
+    /**
+     * Generate a slightly randomized timeout to prevent thundering herd
+     */
+    randomizeTimeout(baseTimeout: number, variationPercent?: number): number;
+    /**
+     * Update connection activity timestamp
+     */
+    updateActivity(record: IConnectionRecord): void;
+    /**
+     * Calculate effective inactivity timeout based on connection type
+     */
+    getEffectiveInactivityTimeout(record: IConnectionRecord): number;
+    /**
+     * Calculate effective max lifetime based on connection type
+     */
+    getEffectiveMaxLifetime(record: IConnectionRecord): number;
+    /**
+     * Setup connection timeout
+     * @returns The cleanup timer
+     */
+    setupConnectionTimeout(record: IConnectionRecord, onTimeout: (record: IConnectionRecord, reason: string) => void): NodeJS.Timeout;
+    /**
+     * Check for inactivity on a connection
+     * @returns Object with check results
+     */
+    checkInactivity(record: IConnectionRecord): {
+        isInactive: boolean;
+        shouldWarn: boolean;
+        inactivityTime: number;
+        effectiveTimeout: number;
+    };
+    /**
+     * Apply socket timeout settings
+     */
+    applySocketTimeouts(record: IConnectionRecord): void;
+}

package/dist_ts/classes.pp.timeoutmanager.js

@@ -0,0 +1,154 @@
+/**
+ * Manages timeouts and inactivity tracking for connections
+ */
+export class TimeoutManager {
+    constructor(settings) {
+        this.settings = settings;
+    }
+    /**
+     * Ensure timeout values don't exceed Node.js max safe integer
+     */
+    ensureSafeTimeout(timeout) {
+        const MAX_SAFE_TIMEOUT = 2147483647; // Maximum safe value (2^31 - 1)
+        return Math.min(Math.floor(timeout), MAX_SAFE_TIMEOUT);
+    }
+    /**
+     * Generate a slightly randomized timeout to prevent thundering herd
+     */
+    randomizeTimeout(baseTimeout, variationPercent = 5) {
+        const safeBaseTimeout = this.ensureSafeTimeout(baseTimeout);
+        const variation = safeBaseTimeout * (variationPercent / 100);
+        return this.ensureSafeTimeout(safeBaseTimeout + Math.floor(Math.random() * variation * 2) - variation);
+    }
+    /**
+     * Update connection activity timestamp
+     */
+    updateActivity(record) {
+        record.lastActivity = Date.now();
+        // Clear any inactivity warning
+        if (record.inactivityWarningIssued) {
+            record.inactivityWarningIssued = false;
+        }
+    }
+    /**
+     * Calculate effective inactivity timeout based on connection type
+     */
+    getEffectiveInactivityTimeout(record) {
+        let effectiveTimeout = this.settings.inactivityTimeout || 14400000; // 4 hours default
+        // For immortal keep-alive connections, use an extremely long timeout
+        if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+            return Number.MAX_SAFE_INTEGER;
+        }
+        // For extended keep-alive connections, apply multiplier
+        if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'extended') {
+            const multiplier = this.settings.keepAliveInactivityMultiplier || 6;
+            effectiveTimeout = effectiveTimeout * multiplier;
+        }
+        return this.ensureSafeTimeout(effectiveTimeout);
+    }
+    /**
+     * Calculate effective max lifetime based on connection type
+     */
+    getEffectiveMaxLifetime(record) {
+        // Use domain-specific timeout if available
+        const baseTimeout = record.domainConfig?.connectionTimeout ||
+            this.settings.maxConnectionLifetime ||
+            86400000; // 24 hours default
+        // For immortal keep-alive connections, use an extremely long lifetime
+        if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+            return Number.MAX_SAFE_INTEGER;
+        }
+        // For extended keep-alive connections, use the extended lifetime setting
+        if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'extended') {
+            return this.ensureSafeTimeout(this.settings.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000 // 7 days default
+            );
+        }
+        // Apply randomization if enabled
+        if (this.settings.enableRandomizedTimeouts) {
+            return this.randomizeTimeout(baseTimeout);
+        }
+        return this.ensureSafeTimeout(baseTimeout);
+    }
+    /**
+     * Setup connection timeout
+     * @returns The cleanup timer
+     */
+    setupConnectionTimeout(record, onTimeout) {
+        // Clear any existing timer
+        if (record.cleanupTimer) {
+            clearTimeout(record.cleanupTimer);
+        }
+        // Calculate effective timeout
+        const effectiveLifetime = this.getEffectiveMaxLifetime(record);
+        // Set up the timeout
+        const timer = setTimeout(() => {
+            // Call the provided callback
+            onTimeout(record, 'connection_timeout');
+        }, effectiveLifetime);
+        // Make sure timeout doesn't keep the process alive
+        if (timer.unref) {
+            timer.unref();
+        }
+        return timer;
+    }
+    /**
+     * Check for inactivity on a connection
+     * @returns Object with check results
+     */
+    checkInactivity(record) {
+        // Skip for connections with inactivity check disabled
+        if (this.settings.disableInactivityCheck) {
+            return {
+                isInactive: false,
+                shouldWarn: false,
+                inactivityTime: 0,
+                effectiveTimeout: 0
+            };
+        }
+        // Skip for immortal keep-alive connections
+        if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+            return {
+                isInactive: false,
+                shouldWarn: false,
+                inactivityTime: 0,
+                effectiveTimeout: 0
+            };
+        }
+        const now = Date.now();
+        const inactivityTime = now - record.lastActivity;
+        const effectiveTimeout = this.getEffectiveInactivityTimeout(record);
+        // Check if inactive
+        const isInactive = inactivityTime > effectiveTimeout;
+        // For keep-alive connections, we should warn first
+        const shouldWarn = record.hasKeepAlive &&
+            isInactive &&
+            !record.inactivityWarningIssued;
+        return {
+            isInactive,
+            shouldWarn,
+            inactivityTime,
+            effectiveTimeout
+        };
+    }
+    /**
+     * Apply socket timeout settings
+     */
+    applySocketTimeouts(record) {
+        // Skip for immortal keep-alive connections
+        if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+            // Disable timeouts completely for immortal connections
+            record.incoming.setTimeout(0);
+            if (record.outgoing) {
+                record.outgoing.setTimeout(0);
+            }
+            return;
+        }
+        // Apply normal timeouts
+        const timeout = this.ensureSafeTimeout(this.settings.socketTimeout || 3600000); // 1 hour default
+        record.incoming.setTimeout(timeout);
+        if (record.outgoing) {
+            record.outgoing.setTimeout(timeout);
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5wcC50aW1lb3V0bWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3RzL2NsYXNzZXMucHAudGltZW91dG1hbmFnZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBRUE7O0dBRUc7QUFDSCxNQUFNLE9BQU8sY0FBYztJQUN6QixZQUFvQixRQUE0QjtRQUE1QixhQUFRLEdBQVIsUUFBUSxDQUFvQjtJQUFHLENBQUM7SUFFcEQ7O09BRUc7SUFDSSxpQkFBaUIsQ0FBQyxPQUFlO1FBQ3RDLE1BQU0sZ0JBQWdCLEdBQUcsVUFBVSxDQUFDLENBQUMsZ0NBQWdDO1FBQ3JFLE9BQU8sSUFBSSxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxFQUFFLGdCQUFnQixDQUFDLENBQUM7SUFDekQsQ0FBQztJQUVEOztPQUVHO0lBQ0ksZ0JBQWdCLENBQUMsV0FBbUIsRUFBRSxtQkFBMkIsQ0FBQztRQUN2RSxNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDNUQsTUFBTSxTQUFTLEdBQUcsZUFBZSxHQUFHLENBQUMsZ0JBQWdCLEdBQUcsR0FBRyxDQUFDLENBQUM7UUFDN0QsT0FBTyxJQUFJLENBQUMsaUJBQWlCLENBQzNCLGVBQWUsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUUsR0FBRyxTQUFTLEdBQUcsQ0FBQyxDQUFDLEdBQUcsU0FBUyxDQUN4RSxDQUFDO0lBQ0osQ0FBQztJQUVEOztPQUVHO0lBQ0ksY0FBYyxDQUFDLE1BQXlCO1FBQzdDLE1BQU0sQ0FBQyxZQUFZLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBRWpDLCtCQUErQjtRQUMvQixJQUFJLE1BQU0sQ0FBQyx1QkFBdUIsRUFBRSxDQUFDO1lBQ25DLE1BQU0sQ0FBQyx1QkFBdUIsR0FBRyxLQUFLLENBQUM7UUFDekMsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNJLDZCQUE2QixDQUFDLE1BQXlCO1FBQzVELElBQUksZ0JBQWdCLEdBQUcsSUFBSSxDQUFDLFFBQVEsQ0FBQyxpQkFBaUIsSUFBSSxRQUFRLENBQUMsQ0FBQyxrQkFBa0I7UUFFdEYscUVBQXFFO1FBQ3JFLElBQUksTUFBTSxDQUFDLFlBQVksSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLGtCQUFrQixLQUFLLFVBQVUsRUFBRSxDQUFDO1lBQzNFLE9BQU8sTUFBTSxDQUFDLGdCQUFnQixDQUFDO1FBQ2pDLENBQUM7UUFFRCx3REFBd0Q7UUFDeEQsSUFBSSxNQUFNLENBQUMsWUFBWSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsa0JBQWtCLEtBQUssVUFBVSxFQUFFLENBQUM7WUFDM0UsTUFBTSxVQUFVLEdBQUcsSUFBSSxDQUFDLFFBQVEsQ0FBQyw2QkFBNkIsSUFBSSxDQUFDLENBQUM7WUFDcEUsZ0JBQWdCLEdBQUcsZ0JBQWdCLEdBQUcsVUFBVSxDQUFDO1FBQ25ELENBQUM7UUFFRCxPQUFPLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO0lBQ2xELENBQUM7SUFFRDs7T0FFRztJQUNJLHVCQUF1QixDQUFDLE1BQXlCO1FBQ3RELDJDQUEyQztRQUMzQyxNQUFNLFdBQVcsR0FBRyxNQUFNLENBQUMsWUFBWSxFQUFFLGlCQUFpQjtZQUN0QyxJQUFJLENBQUMsUUFBUSxDQUFDLHFCQUFxQjtZQUNuQyxRQUFRLENBQUMsQ0FBQyxtQkFBbUI7UUFFakQsc0VBQXNFO1FBQ3RFLElBQUksTUFBTSxDQUFDLFlBQVksSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLGtCQUFrQixLQUFLLFVBQVUsRUFBRSxDQUFDO1lBQzNFLE9BQU8sTUFBTSxDQUFDLGdCQUFnQixDQUFDO1FBQ2pDLENBQUM7UUFFRCx5RUFBeUU7UUFDekUsSUFBSSxNQUFNLENBQUMsWUFBWSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsa0JBQWtCLEtBQUssVUFBVSxFQUFFLENBQUM7WUFDM0UsT0FBTyxJQUFJLENBQUMsaUJBQWlCLENBQzNCLElBQUksQ0FBQyxRQUFRLENBQUMseUJBQXlCLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxpQkFBaUI7YUFDckYsQ0FBQztRQUNKLENBQUM7UUFFRCxpQ0FBaUM7UUFDakMsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLHdCQUF3QixFQUFFLENBQUM7WUFDM0MsT0FBTyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDNUMsQ0FBQztRQUVELE9BQU8sSUFBSSxDQUFDLGlCQUFpQixDQUFDLFdBQVcsQ0FBQyxDQUFDO0lBQzdDLENBQUM7SUFFRDs7O09BR0c7SUFDSSxzQkFBc0IsQ0FDM0IsTUFBeUIsRUFDekIsU0FBOEQ7UUFFOUQsMkJBQTJCO1FBQzNCLElBQUksTUFBTSxDQUFDLFlBQVksRUFBRSxDQUFDO1lBQ3hCLFlBQVksQ0FBQyxNQUFNLENBQUMsWUFBWSxDQUFDLENBQUM7UUFDcEMsQ0FBQztRQUVELDhCQUE4QjtRQUM5QixNQUFNLGlCQUFpQixHQUFHLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUUvRCxxQkFBcUI7UUFDckIsTUFBTSxLQUFLLEdBQUcsVUFBVSxDQUFDLEdBQUcsRUFBRTtZQUM1Qiw2QkFBNkI7WUFDN0IsU0FBUyxDQUFDLE1BQU0sRUFBRSxvQkFBb0IsQ0FBQyxDQUFDO1FBQzFDLENBQUMsRUFBRSxpQkFBaUIsQ0FBQyxDQUFDO1FBRXRCLG1EQUFtRDtRQUNuRCxJQUFJLEtBQUssQ0FBQyxLQUFLLEVBQUUsQ0FBQztZQUNoQixLQUFLLENBQUMsS0FBSyxFQUFFLENBQUM7UUFDaEIsQ0FBQztRQUVELE9BQU8sS0FBSyxDQUFDO0lBQ2YsQ0FBQztJQUVEOzs7T0FHRztJQUNJLGVBQWUsQ0FBQyxNQUF5QjtRQU05QyxzREFBc0Q7UUFDdEQsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLHNCQUFzQixFQUFFLENBQUM7WUFDekMsT0FBTztnQkFDTCxVQUFVLEVBQUUsS0FBSztnQkFDakIsVUFBVSxFQUFFLEtBQUs7Z0JBQ2pCLGNBQWMsRUFBRSxDQUFDO2dCQUNqQixnQkFBZ0IsRUFBRSxDQUFDO2FBQ3BCLENBQUM7UUFDSixDQUFDO1FBRUQsMkNBQTJDO1FBQzNDLElBQUksTUFBTSxDQUFDLFlBQVksSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLGtCQUFrQixLQUFLLFVBQVUsRUFBRSxDQUFDO1lBQzNFLE9BQU87Z0JBQ0wsVUFBVSxFQUFFLEtBQUs7Z0JBQ2pCLFVBQVUsRUFBRSxLQUFLO2dCQUNqQixjQUFjLEVBQUUsQ0FBQztnQkFDakIsZ0JBQWdCLEVBQUUsQ0FBQzthQUNwQixDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUN2QixNQUFNLGNBQWMsR0FBRyxHQUFHLEdBQUcsTUFBTSxDQUFDLFlBQVksQ0FBQztRQUNqRCxNQUFNLGdCQUFnQixHQUFHLElBQUksQ0FBQyw2QkFBNkIsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUVwRSxvQkFBb0I7UUFDcEIsTUFBTSxVQUFVLEdBQUcsY0FBYyxHQUFHLGdCQUFnQixDQUFDO1FBRXJELG1EQUFtRDtRQUNuRCxNQUFNLFVBQVUsR0FBRyxNQUFNLENBQUMsWUFBWTtZQUNuQixVQUFVO1lBQ1YsQ0FBQyxNQUFNLENBQUMsdUJBQXVCLENBQUM7UUFFbkQsT0FBTztZQUNMLFVBQVU7WUFDVixVQUFVO1lBQ1YsY0FBYztZQUNkLGdCQUFnQjtTQUNqQixDQUFDO0lBQ0osQ0FBQztJQUVEOztPQUVHO0lBQ0ksbUJBQW1CLENBQUMsTUFBeUI7UUFDbEQsMkNBQTJDO1FBQzNDLElBQUksTUFBTSxDQUFDLFlBQVksSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLGtCQUFrQixLQUFLLFVBQVUsRUFBRSxDQUFDO1lBQzNFLHVEQUF1RDtZQUN2RCxNQUFNLENBQUMsUUFBUSxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUM5QixJQUFJLE1BQU0sQ0FBQyxRQUFRLEVBQUUsQ0FBQztnQkFDcEIsTUFBTSxDQUFDLFFBQVEsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7WUFDaEMsQ0FBQztZQUNELE9BQU87UUFDVCxDQUFDO1FBRUQsd0JBQXdCO1FBQ3hCLE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLGFBQWEsSUFBSSxPQUFPLENBQUMsQ0FBQyxDQUFDLGlCQUFpQjtRQUNqRyxNQUFNLENBQUMsUUFBUSxDQUFDLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUNwQyxJQUFJLE1BQU0sQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUNwQixNQUFNLENBQUMsUUFBUSxDQUFDLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUN0QyxDQUFDO0lBQ0gsQ0FBQztDQUNGIn0=

package/dist_ts/classes.pp.tlsmanager.d.ts

@@ -0,0 +1,57 @@
+import type { IPortProxySettings } from './classes.pp.interfaces.js';
+/**
+ * Interface for connection information used for SNI extraction
+ */
+interface IConnectionInfo {
+    sourceIp: string;
+    sourcePort: number;
+    destIp: string;
+    destPort: number;
+}
+/**
+ * Manages TLS-related operations including SNI extraction and validation
+ */
+export declare class TlsManager {
+    private settings;
+    constructor(settings: IPortProxySettings);
+    /**
+     * Check if a data chunk appears to be a TLS handshake
+     */
+    isTlsHandshake(chunk: Buffer): boolean;
+    /**
+     * Check if a data chunk appears to be a TLS ClientHello
+     */
+    isClientHello(chunk: Buffer): boolean;
+    /**
+     * Extract Server Name Indication (SNI) from TLS handshake
+     */
+    extractSNI(chunk: Buffer, connInfo: IConnectionInfo, previousDomain?: string): string | undefined;
+    /**
+     * Handle session resumption attempts
+     */
+    handleSessionResumption(chunk: Buffer, connectionId: string, hasSNI: boolean): {
+        shouldBlock: boolean;
+        reason?: string;
+    };
+    /**
+     * Check for SNI mismatch during renegotiation
+     */
+    checkRenegotiationSNI(chunk: Buffer, connInfo: IConnectionInfo, expectedDomain: string, connectionId: string): {
+        hasMismatch: boolean;
+        extractedSNI?: string;
+    };
+    /**
+     * Create a renegotiation handler function for a connection
+     */
+    createRenegotiationHandler(connectionId: string, lockedDomain: string, connInfo: IConnectionInfo, onMismatch: (connectionId: string, reason: string) => void): (chunk: Buffer) => void;
+    /**
+     * Analyze TLS connection for browser fingerprinting
+     * This helps identify browser vs non-browser connections
+     */
+    analyzeClientHello(chunk: Buffer): {
+        isBrowserConnection: boolean;
+        isRenewal: boolean;
+        hasSNI: boolean;
+    };
+}
+export {};

package/dist_ts/classes.pp.tlsmanager.js

@@ -0,0 +1,132 @@
+import * as plugins from './plugins.js';
+import { SniHandler } from './classes.pp.snihandler.js';
+/**
+ * Manages TLS-related operations including SNI extraction and validation
+ */
+export class TlsManager {
+    constructor(settings) {
+        this.settings = settings;
+    }
+    /**
+     * Check if a data chunk appears to be a TLS handshake
+     */
+    isTlsHandshake(chunk) {
+        return SniHandler.isTlsHandshake(chunk);
+    }
+    /**
+     * Check if a data chunk appears to be a TLS ClientHello
+     */
+    isClientHello(chunk) {
+        return SniHandler.isClientHello(chunk);
+    }
+    /**
+     * Extract Server Name Indication (SNI) from TLS handshake
+     */
+    extractSNI(chunk, connInfo, previousDomain) {
+        // Use the SniHandler to process the TLS packet
+        return SniHandler.processTlsPacket(chunk, connInfo, this.settings.enableTlsDebugLogging || false, previousDomain);
+    }
+    /**
+     * Handle session resumption attempts
+     */
+    handleSessionResumption(chunk, connectionId, hasSNI) {
+        // Skip if session tickets are allowed
+        if (this.settings.allowSessionTicket !== false) {
+            return { shouldBlock: false };
+        }
+        // Check for session resumption attempt
+        const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging || false);
+        // If this is a resumption attempt without SNI, block it
+        if (resumptionInfo.isResumption && !hasSNI && !resumptionInfo.hasSNI) {
+            if (this.settings.enableTlsDebugLogging) {
+                console.log(`[${connectionId}] Session resumption detected without SNI and allowSessionTicket=false. ` +
+                    `Terminating connection to force new TLS handshake.`);
+            }
+            return {
+                shouldBlock: true,
+                reason: 'session_ticket_blocked'
+            };
+        }
+        return { shouldBlock: false };
+    }
+    /**
+     * Check for SNI mismatch during renegotiation
+     */
+    checkRenegotiationSNI(chunk, connInfo, expectedDomain, connectionId) {
+        // Only process if this looks like a TLS ClientHello
+        if (!this.isClientHello(chunk)) {
+            return { hasMismatch: false };
+        }
+        try {
+            // Extract SNI with renegotiation support
+            const newSNI = SniHandler.extractSNIWithResumptionSupport(chunk, connInfo, this.settings.enableTlsDebugLogging || false);
+            // Skip if no SNI was found
+            if (!newSNI)
+                return { hasMismatch: false };
+            // Check for SNI mismatch
+            if (newSNI !== expectedDomain) {
+                if (this.settings.enableTlsDebugLogging) {
+                    console.log(`[${connectionId}] Renegotiation with different SNI: ${expectedDomain} -> ${newSNI}. ` +
+                        `Terminating connection - SNI domain switching is not allowed.`);
+                }
+                return { hasMismatch: true, extractedSNI: newSNI };
+            }
+            else if (this.settings.enableTlsDebugLogging) {
+                console.log(`[${connectionId}] Renegotiation detected with same SNI: ${newSNI}. Allowing.`);
+            }
+        }
+        catch (err) {
+            console.log(`[${connectionId}] Error processing ClientHello: ${err}. Allowing connection to continue.`);
+        }
+        return { hasMismatch: false };
+    }
+    /**
+     * Create a renegotiation handler function for a connection
+     */
+    createRenegotiationHandler(connectionId, lockedDomain, connInfo, onMismatch) {
+        return (chunk) => {
+            const result = this.checkRenegotiationSNI(chunk, connInfo, lockedDomain, connectionId);
+            if (result.hasMismatch) {
+                onMismatch(connectionId, 'sni_mismatch');
+            }
+        };
+    }
+    /**
+     * Analyze TLS connection for browser fingerprinting
+     * This helps identify browser vs non-browser connections
+     */
+    analyzeClientHello(chunk) {
+        // Default result
+        const result = {
+            isBrowserConnection: false,
+            isRenewal: false,
+            hasSNI: false
+        };
+        try {
+            // Check if it's a ClientHello
+            if (!this.isClientHello(chunk)) {
+                return result;
+            }
+            // Check for session resumption
+            const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging || false);
+            // Extract SNI
+            const sni = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging || false);
+            // Update result
+            result.isRenewal = resumptionInfo.isResumption;
+            result.hasSNI = !!sni;
+            // Browsers typically:
+            // 1. Send SNI extension
+            // 2. Have a variety of extensions (ALPN, etc.)
+            // 3. Use standard cipher suites
+            // ...more complex heuristics could be implemented here
+            // Simple heuristic: presence of SNI suggests browser
+            result.isBrowserConnection = !!sni;
+            return result;
+        }
+        catch (err) {
+            console.log(`Error analyzing ClientHello: ${err}`);
+            return result;
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5wcC50bHNtYW5hZ2VyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHMvY2xhc3Nlcy5wcC50bHNtYW5hZ2VyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxPQUFPLE1BQU0sY0FBYyxDQUFDO0FBRXhDLE9BQU8sRUFBRSxVQUFVLEVBQUUsTUFBTSw0QkFBNEIsQ0FBQztBQVl4RDs7R0FFRztBQUNILE1BQU0sT0FBTyxVQUFVO0lBQ3JCLFlBQW9CLFFBQTRCO1FBQTVCLGFBQVEsR0FBUixRQUFRLENBQW9CO0lBQUcsQ0FBQztJQUVwRDs7T0FFRztJQUNJLGNBQWMsQ0FBQyxLQUFhO1FBQ2pDLE9BQU8sVUFBVSxDQUFDLGNBQWMsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUMxQyxDQUFDO0lBRUQ7O09BRUc7SUFDSSxhQUFhLENBQUMsS0FBYTtRQUNoQyxPQUFPLFVBQVUsQ0FBQyxhQUFhLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDekMsQ0FBQztJQUVEOztPQUVHO0lBQ0ksVUFBVSxDQUNmLEtBQWEsRUFDYixRQUF5QixFQUN6QixjQUF1QjtRQUV2QiwrQ0FBK0M7UUFDL0MsT0FBTyxVQUFVLENBQUMsZ0JBQWdCLENBQ2hDLEtBQUssRUFDTCxRQUFRLEVBQ1IsSUFBSSxDQUFDLFFBQVEsQ0FBQyxxQkFBcUIsSUFBSSxLQUFLLEVBQzVDLGNBQWMsQ0FDZixDQUFDO0lBQ0osQ0FBQztJQUVEOztPQUVHO0lBQ0ksdUJBQXVCLENBQzVCLEtBQWEsRUFDYixZQUFvQixFQUNwQixNQUFlO1FBRWYsc0NBQXNDO1FBQ3RDLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxrQkFBa0IsS0FBSyxLQUFLLEVBQUUsQ0FBQztZQUMvQyxPQUFPLEVBQUUsV0FBVyxFQUFFLEtBQUssRUFBRSxDQUFDO1FBQ2hDLENBQUM7UUFFRCx1Q0FBdUM7UUFDdkMsTUFBTSxjQUFjLEdBQUcsVUFBVSxDQUFDLG9CQUFvQixDQUNwRCxLQUFLLEVBQ0wsSUFBSSxDQUFDLFFBQVEsQ0FBQyxxQkFBcUIsSUFBSSxLQUFLLENBQzdDLENBQUM7UUFFRix3REFBd0Q7UUFDeEQsSUFBSSxjQUFjLENBQUMsWUFBWSxJQUFJLENBQUMsTUFBTSxJQUFJLENBQUMsY0FBYyxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ3JFLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxxQkFBcUIsRUFBRSxDQUFDO2dCQUN4QyxPQUFPLENBQUMsR0FBRyxDQUNULElBQUksWUFBWSwwRUFBMEU7b0JBQzFGLG9EQUFvRCxDQUNyRCxDQUFDO1lBQ0osQ0FBQztZQUNELE9BQU87Z0JBQ0wsV0FBVyxFQUFFLElBQUk7Z0JBQ2pCLE1BQU0sRUFBRSx3QkFBd0I7YUFDakMsQ0FBQztRQUNKLENBQUM7UUFFRCxPQUFPLEVBQUUsV0FBVyxFQUFFLEtBQUssRUFBRSxDQUFDO0lBQ2hDLENBQUM7SUFFRDs7T0FFRztJQUNJLHFCQUFxQixDQUMxQixLQUFhLEVBQ2IsUUFBeUIsRUFDekIsY0FBc0IsRUFDdEIsWUFBb0I7UUFFcEIsb0RBQW9EO1FBQ3BELElBQUksQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDL0IsT0FBTyxFQUFFLFdBQVcsRUFBRSxLQUFLLEVBQUUsQ0FBQztRQUNoQyxDQUFDO1FBRUQsSUFBSSxDQUFDO1lBQ0gseUNBQXlDO1lBQ3pDLE1BQU0sTUFBTSxHQUFHLFVBQVUsQ0FBQywrQkFBK0IsQ0FDdkQsS0FBSyxFQUNMLFFBQVEsRUFDUixJQUFJLENBQUMsUUFBUSxDQUFDLHFCQUFxQixJQUFJLEtBQUssQ0FDN0MsQ0FBQztZQUVGLDJCQUEyQjtZQUMzQixJQUFJLENBQUMsTUFBTTtnQkFBRSxPQUFPLEVBQUUsV0FBVyxFQUFFLEtBQUssRUFBRSxDQUFDO1lBRTNDLHlCQUF5QjtZQUN6QixJQUFJLE1BQU0sS0FBSyxjQUFjLEVBQUUsQ0FBQztnQkFDOUIsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLHFCQUFxQixFQUFFLENBQUM7b0JBQ3hDLE9BQU8sQ0FBQyxHQUFHLENBQ1QsSUFBSSxZQUFZLHVDQUF1QyxjQUFjLE9BQU8sTUFBTSxJQUFJO3dCQUN0RiwrREFBK0QsQ0FDaEUsQ0FBQztnQkFDSixDQUFDO2dCQUNELE9BQU8sRUFBRSxXQUFXLEVBQUUsSUFBSSxFQUFFLFlBQVksRUFBRSxNQUFNLEVBQUUsQ0FBQztZQUNyRCxDQUFDO2lCQUFNLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxxQkFBcUIsRUFBRSxDQUFDO2dCQUMvQyxPQUFPLENBQUMsR0FBRyxDQUNULElBQUksWUFBWSwyQ0FBMkMsTUFBTSxhQUFhLENBQy9FLENBQUM7WUFDSixDQUFDO1FBQ0gsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixPQUFPLENBQUMsR0FBRyxDQUNULElBQUksWUFBWSxtQ0FBbUMsR0FBRyxvQ0FBb0MsQ0FDM0YsQ0FBQztRQUNKLENBQUM7UUFFRCxPQUFPLEVBQUUsV0FBVyxFQUFFLEtBQUssRUFBRSxDQUFDO0lBQ2hDLENBQUM7SUFFRDs7T0FFRztJQUNJLDBCQUEwQixDQUMvQixZQUFvQixFQUNwQixZQUFvQixFQUNwQixRQUF5QixFQUN6QixVQUEwRDtRQUUxRCxPQUFPLENBQUMsS0FBYSxFQUFFLEVBQUU7WUFDdkIsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLHFCQUFxQixDQUFDLEtBQUssRUFBRSxRQUFRLEVBQUUsWUFBWSxFQUFFLFlBQVksQ0FBQyxDQUFDO1lBQ3ZGLElBQUksTUFBTSxDQUFDLFdBQVcsRUFBRSxDQUFDO2dCQUN2QixVQUFVLENBQUMsWUFBWSxFQUFFLGNBQWMsQ0FBQyxDQUFDO1lBQzNDLENBQUM7UUFDSCxDQUFDLENBQUM7SUFDSixDQUFDO0lBRUQ7OztPQUdHO0lBQ0ksa0JBQWtCLENBQUMsS0FBYTtRQUtyQyxpQkFBaUI7UUFDakIsTUFBTSxNQUFNLEdBQUc7WUFDYixtQkFBbUIsRUFBRSxLQUFLO1lBQzFCLFNBQVMsRUFBRSxLQUFLO1lBQ2hCLE1BQU0sRUFBRSxLQUFLO1NBQ2QsQ0FBQztRQUVGLElBQUksQ0FBQztZQUNILDhCQUE4QjtZQUM5QixJQUFJLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO2dCQUMvQixPQUFPLE1BQU0sQ0FBQztZQUNoQixDQUFDO1lBRUQsK0JBQStCO1lBQy9CLE1BQU0sY0FBYyxHQUFHLFVBQVUsQ0FBQyxvQkFBb0IsQ0FDcEQsS0FBSyxFQUNMLElBQUksQ0FBQyxRQUFRLENBQUMscUJBQXFCLElBQUksS0FBSyxDQUM3QyxDQUFDO1lBRUYsY0FBYztZQUNkLE1BQU0sR0FBRyxHQUFHLFVBQVUsQ0FBQyxVQUFVLENBQy9CLEtBQUssRUFDTCxJQUFJLENBQUMsUUFBUSxDQUFDLHFCQUFxQixJQUFJLEtBQUssQ0FDN0MsQ0FBQztZQUVGLGdCQUFnQjtZQUNoQixNQUFNLENBQUMsU0FBUyxHQUFHLGNBQWMsQ0FBQyxZQUFZLENBQUM7WUFDL0MsTUFBTSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDO1lBRXRCLHNCQUFzQjtZQUN0Qix3QkFBd0I7WUFDeEIsK0NBQStDO1lBQy9DLGdDQUFnQztZQUNoQyx1REFBdUQ7WUFFdkQscURBQXFEO1lBQ3JELE1BQU0sQ0FBQyxtQkFBbUIsR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDO1lBRW5DLE9BQU8sTUFBTSxDQUFDO1FBQ2hCLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsT0FBTyxDQUFDLEdBQUcsQ0FBQyxnQ0FBZ0MsR0FBRyxFQUFFLENBQUMsQ0FBQztZQUNuRCxPQUFPLE1BQU0sQ0FBQztRQUNoQixDQUFDO0lBQ0gsQ0FBQztDQUNGIn0=

package/dist_ts/index.d.ts

@@ -1,6 +1,6 @@
 export * from './classes.iptablesproxy.js';
 export * from './classes.networkproxy.js';
-export * from './classes.portproxy.js';
+export * from './classes.pp.portproxy.js';
 export * from './classes.port80handler.js';
 export * from './classes.sslredirect.js';
-export * from './classes.snihandler.js';
+export * from './classes.pp.snihandler.js';

package/dist_ts/index.js

@@ -1,7 +1,7 @@
 export * from './classes.iptablesproxy.js';
 export * from './classes.networkproxy.js';
-export * from './classes.portproxy.js';
+export * from './classes.pp.portproxy.js';
 export * from './classes.port80handler.js';
 export * from './classes.sslredirect.js';
-export * from './classes.snihandler.js';
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi90cy9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxjQUFjLDRCQUE0QixDQUFDO0FBQzNDLGNBQWMsMkJBQTJCLENBQUM7QUFDMUMsY0FBYyx3QkFBd0IsQ0FBQztBQUN2QyxjQUFjLDRCQUE0QixDQUFDO0FBQzNDLGNBQWMsMEJBQTBCLENBQUM7QUFDekMsY0FBYyx5QkFBeUIsQ0FBQyJ9
+export * from './classes.pp.snihandler.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi90cy9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxjQUFjLDRCQUE0QixDQUFDO0FBQzNDLGNBQWMsMkJBQTJCLENBQUM7QUFDMUMsY0FBYywyQkFBMkIsQ0FBQztBQUMxQyxjQUFjLDRCQUE0QixDQUFDO0FBQzNDLGNBQWMsMEJBQTBCLENBQUM7QUFDekMsY0FBYyw0QkFBNEIsQ0FBQyJ9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.41.8",
+  "version": "4.1.0",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

package/ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.41.8',
+  version: '4.1.0',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

package/ts/classes.pp.acmemanager.ts

@@ -0,0 +1,149 @@
+import type { IPortProxySettings } from './classes.pp.interfaces.js';
+import { NetworkProxyBridge } from './classes.pp.networkproxybridge.js';
+
+/**
+ * Manages ACME certificate operations
+ */
+export class AcmeManager {
+  constructor(
+    private settings: IPortProxySettings,
+    private networkProxyBridge: NetworkProxyBridge
+  ) {}
+  
+  /**
+   * Get current ACME settings
+   */
+  public getAcmeSettings(): IPortProxySettings['acme'] {
+    return this.settings.acme;
+  }
+  
+  /**
+   * Check if ACME is enabled
+   */
+  public isAcmeEnabled(): boolean {
+    return !!this.settings.acme?.enabled;
+  }
+  
+  /**
+   * Update ACME certificate settings
+   */
+  public async updateAcmeSettings(acmeSettings: IPortProxySettings['acme']): Promise<void> {
+    console.log('Updating ACME certificate settings');
+    
+    // Check if enabled state is changing
+    const enabledChanging = this.settings.acme?.enabled !== acmeSettings.enabled;
+    
+    // Update settings
+    this.settings.acme = {
+      ...this.settings.acme,
+      ...acmeSettings,
+    };
+    
+    // Get NetworkProxy instance
+    const networkProxy = this.networkProxyBridge.getNetworkProxy();
+    
+    if (!networkProxy) {
+      console.log('Cannot update ACME settings - NetworkProxy not initialized');
+      return;
+    }
+    
+    try {
+      // If enabled state changed, we need to restart NetworkProxy
+      if (enabledChanging) {
+        console.log(`ACME enabled state changed to: ${acmeSettings.enabled}`);
+        
+        // Stop the current NetworkProxy
+        await this.networkProxyBridge.stop();
+        
+        // Reinitialize with new settings
+        await this.networkProxyBridge.initialize();
+        
+        // Start NetworkProxy with new settings
+        await this.networkProxyBridge.start();
+      } else {
+        // Just update the settings in the existing NetworkProxy
+        console.log('Updating ACME settings in NetworkProxy without restart');
+        
+        // Update settings in NetworkProxy
+        if (networkProxy.options && networkProxy.options.acme) {
+          networkProxy.options.acme = { ...this.settings.acme };
+          
+          // For certificate renewals, we might want to trigger checks with the new settings
+          if (acmeSettings.renewThresholdDays !== undefined) {
+            console.log(`Setting new renewal threshold to ${acmeSettings.renewThresholdDays} days`);
+            networkProxy.options.acme.renewThresholdDays = acmeSettings.renewThresholdDays;
+          }
+          
+          // Update other settings that might affect certificate operations
+          if (acmeSettings.useProduction !== undefined) {
+            console.log(`Setting ACME to ${acmeSettings.useProduction ? 'production' : 'staging'} mode`);
+          }
+          
+          if (acmeSettings.autoRenew !== undefined) {
+            console.log(`Setting auto-renewal to ${acmeSettings.autoRenew ? 'enabled' : 'disabled'}`);
+          }
+        }
+      }
+    } catch (err) {
+      console.log(`Error updating ACME settings: ${err}`);
+    }
+  }
+  
+  /**
+   * Request a certificate for a specific domain
+   */
+  public async requestCertificate(domain: string): Promise<boolean> {
+    // Validate domain format
+    if (!this.isValidDomain(domain)) {
+      console.log(`Invalid domain format: ${domain}`);
+      return false;
+    }
+    
+    // Delegate to NetworkProxyManager
+    return this.networkProxyBridge.requestCertificate(domain);
+  }
+  
+  /**
+   * Basic domain validation
+   */
+  private isValidDomain(domain: string): boolean {
+    // Very basic domain validation
+    if (!domain || domain.length === 0) {
+      return false;
+    }
+    
+    // Check for wildcard domains (they can't get ACME certs)
+    if (domain.includes('*')) {
+      console.log(`Wildcard domains like "${domain}" are not supported for ACME certificates`);
+      return false;
+    }
+    
+    // Check if domain has at least one dot and no invalid characters
+    const validDomainRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+    if (!validDomainRegex.test(domain)) {
+      console.log(`Domain "${domain}" has invalid format`);
+      return false;
+    }
+    
+    return true;
+  }
+  
+  /**
+   * Get eligible domains for ACME certificates
+   */
+  public getEligibleDomains(): string[] {
+    // Collect all eligible domains from domain configs
+    const domains: string[] = [];
+    
+    for (const config of this.settings.domainConfigs) {
+      // Skip domains that can't be used with ACME
+      const eligibleDomains = config.domains.filter(domain => 
+        !domain.includes('*') && this.isValidDomain(domain)
+      );
+      
+      domains.push(...eligibleDomains);
+    }
+    
+    return domains;
+  }
+}