@push.rocks/smartproxy 5.0.0 → 6.0.0

package/readme.md

@@ -16,7 +16,7 @@ flowchart TB
         HTTP80[HTTP Port 80\nSslRedirect]
         HTTPS443[HTTPS Port 443\nNetworkProxy]
         PortProxy[TCP Port Proxy\nwith SNI routing]
-        IPTables[IPTablesProxy]
+        NfTables[NfTablesProxy]
         Router[ProxyRouter]
         ACME[Port80Handler\nACME/Let's Encrypt]
         Certs[(SSL Certificates)]
@@ -40,7 +40,7 @@ flowchart TB
     PortProxy -->|Direct TCP| Service2
     PortProxy -->|Direct TCP| Service3
     
-    IPTables -.->|Low-level forwarding| PortProxy
+    NfTables -.->|Low-level forwarding| PortProxy
     
     HTTP80 -.->|Challenge Response| ACME
     ACME -.->|Generate/Manage| Certs
@@ -197,7 +197,7 @@ sequenceDiagram
 - **HTTP to HTTPS Redirection** - Automatically redirect HTTP requests to HTTPS
 - **Let's Encrypt Integration** - Automatic certificate management using ACME protocol
 - **IP Filtering** - Control access with IP allow/block lists using glob patterns
-- **IPTables Integration** - Direct manipulation of iptables for low-level port forwarding
+- **NfTables Integration** - Direct manipulation of nftables for advanced low-level port forwarding
 - **Basic Authentication** - Support for basic auth on proxied routes
 - **Connection Management** - Intelligent connection tracking and cleanup with configurable timeouts
 - **Browser Compatibility** - Optimized for modern browsers with fixes for common TLS handshake issues
@@ -315,13 +315,13 @@ const portProxy = new PortProxy({
 portProxy.start();
 ```
 
-### IPTables Port Forwarding
+### NfTables Port Forwarding
 
 ```typescript
-import { IPTablesProxy } from '@push.rocks/smartproxy';
+import { NfTablesProxy } from '@push.rocks/smartproxy';
 
 // Basic usage - forward single port
-const basicProxy = new IPTablesProxy({
+const basicProxy = new NfTablesProxy({
   fromPort: 80,
   toPort: 8080,
   toHost: 'localhost',
@@ -330,7 +330,7 @@ const basicProxy = new IPTablesProxy({
 });
 
 // Forward port ranges
-const rangeProxy = new IPTablesProxy({
+const rangeProxy = new NfTablesProxy({
   fromPort: { from: 3000, to: 3010 },  // Forward ports 3000-3010
   toPort: { from: 8000, to: 8010 },    // To ports 8000-8010
   protocol: 'tcp',                     // TCP protocol (default)
@@ -339,19 +339,26 @@ const rangeProxy = new IPTablesProxy({
 });
 
 // Multiple port specifications with IP filtering
-const advancedProxy = new IPTablesProxy({
+const advancedProxy = new NfTablesProxy({
   fromPort: [80, 443, { from: 8000, to: 8010 }],  // Multiple ports/ranges
   toPort: [8080, 8443, { from: 18000, to: 18010 }],
   allowedSourceIPs: ['10.0.0.0/8', '192.168.1.0/24'],  // Only allow these IPs
   bannedSourceIPs: ['192.168.1.100'],                 // Explicitly block these IPs
-  addJumpRule: true,                                  // Use custom chain for better management
-  checkExistingRules: true                           // Check for duplicate rules
+  useIPSets: true,                                   // Use IP sets for efficient IP management
+  forceCleanSlate: false                             // Clean all NfTablesProxy rules before starting
 });
 
-// NetworkProxy integration for SSL termination
-const sslProxy = new IPTablesProxy({
+// Advanced features: QoS, connection tracking, and NetworkProxy integration
+const advancedProxy = new NfTablesProxy({
   fromPort: 443,
   toPort: 8443,
+  toHost: 'localhost',
+  useAdvancedNAT: true,                // Use connection tracking for stateful NAT
+  qos: {
+    enabled: true,
+    maxRate: '10mbps',                 // Limit bandwidth
+    priority: 1                        // Set traffic priority (1-10)
+  },
   netProxyIntegration: {
     enabled: true,
     redirectLocalhost: true,           // Redirect localhost traffic to NetworkProxy
@@ -372,8 +379,25 @@ import { Port80Handler } from '@push.rocks/smartproxy';
 const acmeHandler = new Port80Handler();
 
 // Add domains to manage certificates for
-acmeHandler.addDomain('example.com');
-acmeHandler.addDomain('api.example.com');
+acmeHandler.addDomain({
+  domainName: 'example.com',
+  sslRedirect: true,
+  acmeMaintenance: true
+});
+
+acmeHandler.addDomain({
+  domainName: 'api.example.com',
+  sslRedirect: true,
+  acmeMaintenance: true
+});
+
+// Support for glob pattern domains for routing (certificates not issued for glob patterns)
+acmeHandler.addDomain({
+  domainName: '*.example.com',
+  sslRedirect: true,
+  acmeMaintenance: false,  // Can't issue certificates for wildcard domains via HTTP-01
+  forward: { ip: '192.168.1.10', port: 8080 }  // Forward requests to this target
+});
 ```
 
 ## Configuration Options
@@ -412,7 +436,7 @@ acmeHandler.addDomain('api.example.com');
 | `enableDetailedLogging`   | Enable detailed connection logging                     | false       |
 | `enableRandomizedTimeouts`| Randomize timeouts slightly to prevent thundering herd | true        |
 
-### IPTablesProxy Settings
+### NfTablesProxy Settings
 
 | Option                | Description                                       | Default     |
 |-----------------------|---------------------------------------------------|-------------|
@@ -420,18 +444,32 @@ acmeHandler.addDomain('api.example.com');
 | `toPort`              | Destination port(s) or range(s) to forward to     | -           |
 | `toHost`              | Destination host to forward to                    | 'localhost' |
 | `preserveSourceIP`    | Preserve the original client IP                   | false       |
-| `deleteOnExit`        | Remove iptables rules when process exits          | false       |
+| `deleteOnExit`        | Remove nftables rules when process exits          | false       |
 | `protocol`            | Protocol to forward ('tcp', 'udp', or 'all')      | 'tcp'       |
 | `enableLogging`       | Enable detailed logging                           | false       |
-| `ipv6Support`         | Enable IPv6 support with ip6tables                | false       |
+| `logFormat`           | Format for logs ('plain' or 'json')               | 'plain'     |
+| `ipv6Support`         | Enable IPv6 support                               | false       |
 | `allowedSourceIPs`    | Array of IP addresses/CIDR allowed to connect     | -           |
 | `bannedSourceIPs`     | Array of IP addresses/CIDR blocked from connecting | -           |
-| `forceCleanSlate`     | Clear all IPTablesProxy rules before starting     | false       |
-| `addJumpRule`         | Add a custom chain for cleaner rule management    | false       |
-| `checkExistingRules`  | Check if rules already exist before adding        | true        |
+| `useIPSets`           | Use nftables sets for efficient IP management     | true        |
+| `forceCleanSlate`     | Clear all NfTablesProxy rules before starting     | false       |
+| `tableName`           | Custom table name                                 | 'portproxy' |
+| `maxRetries`          | Maximum number of retries for failed commands     | 3           |
+| `retryDelayMs`        | Delay between retries in milliseconds             | 1000        |
+| `useAdvancedNAT`      | Use connection tracking for stateful NAT          | false       |
+| `qos`                 | Quality of Service options (object)               | -           |
 | `netProxyIntegration` | NetworkProxy integration options (object)         | -           |
 
-#### IPTablesProxy NetworkProxy Integration Options
+#### NfTablesProxy QoS Options
+
+| Option               | Description                                       | Default |
+|----------------------|---------------------------------------------------|---------|
+| `enabled`            | Enable Quality of Service features                | false   |
+| `maxRate`            | Maximum bandwidth rate (e.g. "10mbps")           | -       |
+| `priority`           | Traffic priority (1-10, 1 is highest)            | -       |
+| `markConnections`    | Mark connections for easier management            | false   |
+
+#### NfTablesProxy NetworkProxy Integration Options
 
 | Option               | Description                                       | Default |
 |----------------------|---------------------------------------------------|---------|
@@ -490,18 +528,30 @@ The `PortProxy` class can inspect the SNI (Server Name Indication) field in TLS
 - Domain-specific allowed IP ranges
 - Protection against SNI renegotiation attacks
 
-### Enhanced IPTables Management
+### Enhanced NfTables Management
 
-The improved `IPTablesProxy` class offers advanced capabilities:
+The `NfTablesProxy` class offers advanced capabilities compared to the previous IPTablesProxy:
 
 - Support for multiple port ranges and individual ports
-- IPv6 support with ip6tables
-- Source IP filtering with allow/block lists
-- Custom chain creation for better rule organization
+- More efficient IP filtering using nftables sets
+- IPv6 support with full feature parity
+- Quality of Service (QoS) features including bandwidth limiting and traffic prioritization
+- Advanced connection tracking for stateful NAT
+- Robust error handling with retry mechanisms
+- Structured logging with JSON support
 - NetworkProxy integration for SSL termination
-- Automatic rule existence checking to prevent duplicates
 - Comprehensive cleanup on shutdown
 
+### Port80Handler with Glob Pattern Support
+
+The `Port80Handler` class now includes support for glob pattern domain matching:
+
+- Supports wildcard domains like `*.example.com` for HTTP request routing
+- Detects glob patterns and skips certificate issuance for them
+- Smart routing that first attempts exact matches, then tries pattern matching
+- Supports forwarding HTTP requests to backend services
+- Separate forwarding configuration for ACME challenges
+
 ## Troubleshooting
 
 ### Browser Certificate Errors

package/ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '5.0.0',
+  version: '5.1.0',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

package/ts/index.ts

@@ -1,7 +1,7 @@
-export * from './classes.nftablesproxy.js';
-export * from './classes.networkproxy.js';
-export * from './classes.port80handler.js';
+export * from './nfttablesproxy/classes.nftablesproxy.js';
+export * from './networkproxy/classes.np.networkproxy.js';
+export * from './port80handler/classes.port80handler.js';
 export * from './classes.sslredirect.js';
-export * from './classes.pp.portproxy.js';
-export * from './classes.pp.snihandler.js';
-export * from './classes.pp.interfaces.js';
+export * from './smartproxy/classes.smartproxy.js';
+export * from './smartproxy/classes.pp.snihandler.js';
+export * from './smartproxy/classes.pp.interfaces.js';

package/ts/networkproxy/classes.np.certificatemanager.ts

@@ -0,0 +1,398 @@
+import * as plugins from '../plugins.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import { fileURLToPath } from 'url';
+import { type INetworkProxyOptions, type ICertificateEntry, type ILogger, createLogger } from './classes.np.types.js';
+import { Port80Handler, Port80HandlerEvents, type IDomainOptions } from '../port80handler/classes.port80handler.js';
+
+/**
+ * Manages SSL certificates for NetworkProxy including ACME integration
+ */
+export class CertificateManager {
+  private defaultCertificates: { key: string; cert: string };
+  private certificateCache: Map<string, ICertificateEntry> = new Map();
+  private port80Handler: Port80Handler | null = null;
+  private externalPort80Handler: boolean = false;
+  private certificateStoreDir: string;
+  private logger: ILogger;
+  private httpsServer: plugins.https.Server | null = null;
+  
+  constructor(private options: INetworkProxyOptions) {
+    this.certificateStoreDir = path.resolve(options.acme?.certificateStore || './certs');
+    this.logger = createLogger(options.logLevel || 'info');
+    
+    // Ensure certificate store directory exists
+    try {
+      if (!fs.existsSync(this.certificateStoreDir)) {
+        fs.mkdirSync(this.certificateStoreDir, { recursive: true });
+        this.logger.info(`Created certificate store directory: ${this.certificateStoreDir}`);
+      }
+    } catch (error) {
+      this.logger.warn(`Failed to create certificate store directory: ${error}`);
+    }
+    
+    this.loadDefaultCertificates();
+  }
+  
+  /**
+   * Loads default certificates from the filesystem
+   */
+  public loadDefaultCertificates(): void {
+    const __dirname = path.dirname(fileURLToPath(import.meta.url));
+    const certPath = path.join(__dirname, '..', '..', 'assets', 'certs');
+    
+    try {
+      this.defaultCertificates = {
+        key: fs.readFileSync(path.join(certPath, 'key.pem'), 'utf8'),
+        cert: fs.readFileSync(path.join(certPath, 'cert.pem'), 'utf8')
+      };
+      this.logger.info('Default certificates loaded successfully');
+    } catch (error) {
+      this.logger.error('Error loading default certificates', error);
+      
+      // Generate self-signed fallback certificates
+      try {
+        // This is a placeholder for actual certificate generation code
+        // In a real implementation, you would use a library like selfsigned to generate certs
+        this.defaultCertificates = {
+          key: "FALLBACK_KEY_CONTENT",
+          cert: "FALLBACK_CERT_CONTENT"
+        };
+        this.logger.warn('Using fallback self-signed certificates');
+      } catch (fallbackError) {
+        this.logger.error('Failed to generate fallback certificates', fallbackError);
+        throw new Error('Could not load or generate SSL certificates');
+      }
+    }
+  }
+  
+  /**
+   * Set the HTTPS server reference for context updates
+   */
+  public setHttpsServer(server: plugins.https.Server): void {
+    this.httpsServer = server;
+  }
+  
+  /**
+   * Get default certificates
+   */
+  public getDefaultCertificates(): { key: string; cert: string } {
+    return { ...this.defaultCertificates };
+  }
+  
+  /**
+   * Sets an external Port80Handler for certificate management
+   */
+  public setExternalPort80Handler(handler: Port80Handler): void {
+    if (this.port80Handler && !this.externalPort80Handler) {
+      this.logger.warn('Replacing existing internal Port80Handler with external handler');
+      
+      // Clean up existing handler if needed
+      if (this.port80Handler !== handler) {
+        // Unregister event handlers to avoid memory leaks
+        this.port80Handler.removeAllListeners(Port80HandlerEvents.CERTIFICATE_ISSUED);
+        this.port80Handler.removeAllListeners(Port80HandlerEvents.CERTIFICATE_RENEWED);
+        this.port80Handler.removeAllListeners(Port80HandlerEvents.CERTIFICATE_FAILED);
+        this.port80Handler.removeAllListeners(Port80HandlerEvents.CERTIFICATE_EXPIRING);
+      }
+    }
+    
+    // Set the external handler
+    this.port80Handler = handler;
+    this.externalPort80Handler = true;
+    
+    // Register event handlers
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, this.handleCertificateIssued.bind(this));
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, this.handleCertificateIssued.bind(this));
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, this.handleCertificateFailed.bind(this));
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_EXPIRING, (data) => {
+      this.logger.info(`Certificate for ${data.domain} expires in ${data.daysRemaining} days`);
+    });
+    
+    this.logger.info('External Port80Handler connected to CertificateManager');
+    
+    // Register domains with Port80Handler if we have any certificates cached
+    if (this.certificateCache.size > 0) {
+      const domains = Array.from(this.certificateCache.keys())
+        .filter(domain => !domain.includes('*')); // Skip wildcard domains
+      
+      this.registerDomainsWithPort80Handler(domains);
+    }
+  }
+  
+  /**
+   * Handle newly issued or renewed certificates from Port80Handler
+   */
+  private handleCertificateIssued(data: { domain: string; certificate: string; privateKey: string; expiryDate: Date }): void {
+    const { domain, certificate, privateKey, expiryDate } = data;
+    
+    this.logger.info(`Certificate ${this.certificateCache.has(domain) ? 'renewed' : 'issued'} for ${domain}, valid until ${expiryDate.toISOString()}`);
+    
+    // Update certificate in HTTPS server
+    this.updateCertificateCache(domain, certificate, privateKey, expiryDate);
+    
+    // Save the certificate to the filesystem if not using external handler
+    if (!this.externalPort80Handler && this.options.acme?.certificateStore) {
+      this.saveCertificateToStore(domain, certificate, privateKey);
+    }
+  }
+  
+  /**
+   * Handle certificate issuance failures
+   */
+  private handleCertificateFailed(data: { domain: string; error: string }): void {
+    this.logger.error(`Certificate issuance failed for ${data.domain}: ${data.error}`);
+  }
+  
+  /**
+   * Saves certificate and private key to the filesystem
+   */
+  private saveCertificateToStore(domain: string, certificate: string, privateKey: string): void {
+    try {
+      const certPath = path.join(this.certificateStoreDir, `${domain}.cert.pem`);
+      const keyPath = path.join(this.certificateStoreDir, `${domain}.key.pem`);
+      
+      fs.writeFileSync(certPath, certificate);
+      fs.writeFileSync(keyPath, privateKey);
+      
+      // Ensure private key has restricted permissions
+      try {
+        fs.chmodSync(keyPath, 0o600);
+      } catch (error) {
+        this.logger.warn(`Failed to set permissions on private key for ${domain}: ${error}`);
+      }
+      
+      this.logger.info(`Saved certificate for ${domain} to ${certPath}`);
+    } catch (error) {
+      this.logger.error(`Failed to save certificate for ${domain}: ${error}`);
+    }
+  }
+  
+  /**
+   * Handles SNI (Server Name Indication) for TLS connections
+   * Used by the HTTPS server to select the correct certificate for each domain
+   */
+  public handleSNI(domain: string, cb: (err: Error | null, ctx: plugins.tls.SecureContext) => void): void {
+    this.logger.debug(`SNI request for domain: ${domain}`);
+    
+    // Check if we have a certificate for this domain
+    const certs = this.certificateCache.get(domain);
+    
+    if (certs) {
+      try {
+        // Create TLS context with the cached certificate
+        const context = plugins.tls.createSecureContext({
+          key: certs.key,
+          cert: certs.cert
+        });
+        
+        this.logger.debug(`Using cached certificate for ${domain}`);
+        cb(null, context);
+        return;
+      } catch (err) {
+        this.logger.error(`Error creating secure context for ${domain}:`, err);
+      }
+    }
+    
+    // Check if we should trigger certificate issuance
+    if (this.options.acme?.enabled && this.port80Handler && !domain.includes('*')) {
+      // Check if this domain is already registered
+      const certData = this.port80Handler.getCertificate(domain);
+      
+      if (!certData) {
+        this.logger.info(`No certificate found for ${domain}, registering for issuance`);
+        
+        // Register with new domain options format
+        const domainOptions: IDomainOptions = {
+          domainName: domain,
+          sslRedirect: true,
+          acmeMaintenance: true
+        };
+        
+        this.port80Handler.addDomain(domainOptions);
+      }
+    }
+    
+    // Fall back to default certificate
+    try {
+      const context = plugins.tls.createSecureContext({
+        key: this.defaultCertificates.key,
+        cert: this.defaultCertificates.cert
+      });
+      
+      this.logger.debug(`Using default certificate for ${domain}`);
+      cb(null, context);
+    } catch (err) {
+      this.logger.error(`Error creating default secure context:`, err);
+      cb(new Error('Cannot create secure context'), null);
+    }
+  }
+  
+  /**
+   * Updates certificate in cache
+   */
+  public updateCertificateCache(domain: string, certificate: string, privateKey: string, expiryDate?: Date): void {
+    // Update certificate context in HTTPS server if it's running
+    if (this.httpsServer) {
+      try {
+        this.httpsServer.addContext(domain, {
+          key: privateKey,
+          cert: certificate
+        });
+        this.logger.debug(`Updated SSL context for domain: ${domain}`);
+      } catch (error) {
+        this.logger.error(`Error updating SSL context for domain ${domain}:`, error);
+      }
+    }
+    
+    // Update certificate in cache
+    this.certificateCache.set(domain, {
+      key: privateKey,
+      cert: certificate,
+      expires: expiryDate
+    });
+  }
+  
+  /**
+   * Gets a certificate for a domain
+   */
+  public getCertificate(domain: string): ICertificateEntry | undefined {
+    return this.certificateCache.get(domain);
+  }
+  
+  /**
+   * Requests a new certificate for a domain
+   */
+  public async requestCertificate(domain: string): Promise<boolean> {
+    if (!this.options.acme?.enabled && !this.externalPort80Handler) {
+      this.logger.warn('ACME certificate management is not enabled');
+      return false;
+    }
+    
+    if (!this.port80Handler) {
+      this.logger.error('Port80Handler is not initialized');
+      return false;
+    }
+    
+    // Skip wildcard domains - can't get certs for these with HTTP-01 validation
+    if (domain.includes('*')) {
+      this.logger.error(`Cannot request certificate for wildcard domain: ${domain}`);
+      return false;
+    }
+    
+    try {
+      // Use the new domain options format
+      const domainOptions: IDomainOptions = {
+        domainName: domain,
+        sslRedirect: true,
+        acmeMaintenance: true
+      };
+      
+      this.port80Handler.addDomain(domainOptions);
+      this.logger.info(`Certificate request submitted for domain: ${domain}`);
+      return true;
+    } catch (error) {
+      this.logger.error(`Error requesting certificate for domain ${domain}:`, error);
+      return false;
+    }
+  }
+  
+  /**
+   * Registers domains with Port80Handler for ACME certificate management
+   */
+  public registerDomainsWithPort80Handler(domains: string[]): void {
+    if (!this.port80Handler) {
+      this.logger.warn('Port80Handler is not initialized');
+      return;
+    }
+    
+    for (const domain of domains) {
+      // Skip wildcard domains - can't get certs for these with HTTP-01 validation
+      if (domain.includes('*')) {
+        this.logger.info(`Skipping wildcard domain for ACME: ${domain}`);
+        continue;
+      }
+      
+      // Skip domains already with certificates if configured to do so
+      if (this.options.acme?.skipConfiguredCerts) {
+        const cachedCert = this.certificateCache.get(domain);
+        if (cachedCert) {
+          this.logger.info(`Skipping domain with existing certificate: ${domain}`);
+          continue;
+        }
+      }
+      
+      // Register the domain for certificate issuance with new domain options format
+      const domainOptions: IDomainOptions = {
+        domainName: domain,
+        sslRedirect: true,
+        acmeMaintenance: true
+      };
+      
+      this.port80Handler.addDomain(domainOptions);
+      this.logger.info(`Registered domain for ACME certificate issuance: ${domain}`);
+    }
+  }
+  
+  /**
+   * Initialize internal Port80Handler
+   */
+  public async initializePort80Handler(): Promise<Port80Handler | null> {
+    // Skip if using external handler
+    if (this.externalPort80Handler) {
+      this.logger.info('Using external Port80Handler, skipping initialization');
+      return this.port80Handler;
+    }
+    
+    if (!this.options.acme?.enabled) {
+      return null;
+    }
+    
+    // Create certificate manager
+    this.port80Handler = new Port80Handler({
+      port: this.options.acme.port,
+      contactEmail: this.options.acme.contactEmail,
+      useProduction: this.options.acme.useProduction,
+      renewThresholdDays: this.options.acme.renewThresholdDays,
+      httpsRedirectPort: this.options.port, // Redirect to our HTTPS port
+      renewCheckIntervalHours: 24, // Check daily for renewals
+      enabled: this.options.acme.enabled,
+      autoRenew: this.options.acme.autoRenew,
+      certificateStore: this.options.acme.certificateStore,
+      skipConfiguredCerts: this.options.acme.skipConfiguredCerts
+    });
+    
+    // Register event handlers
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, this.handleCertificateIssued.bind(this));
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, this.handleCertificateIssued.bind(this));
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, this.handleCertificateFailed.bind(this));
+    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_EXPIRING, (data) => {
+      this.logger.info(`Certificate for ${data.domain} expires in ${data.daysRemaining} days`);
+    });
+    
+    // Start the handler
+    try {
+      await this.port80Handler.start();
+      this.logger.info(`Port80Handler started on port ${this.options.acme.port}`);
+      return this.port80Handler;
+    } catch (error) {
+      this.logger.error(`Failed to start Port80Handler: ${error}`);
+      this.port80Handler = null;
+      return null;
+    }
+  }
+  
+  /**
+   * Stop the Port80Handler if it was internally created
+   */
+  public async stopPort80Handler(): Promise<void> {
+    if (this.port80Handler && !this.externalPort80Handler) {
+      try {
+        await this.port80Handler.stop();
+        this.logger.info('Port80Handler stopped');
+      } catch (error) {
+        this.logger.error('Error stopping Port80Handler', error);
+      }
+    }
+  }
+}