Networking

Minions connect securely to HQ via Cloudflare Tunnel.

Cloudflare Tunnel

A Cloudflare Tunnel is automatically created for each minion during provisioning.

flowchart TD
    A["Browser / HQ"] -->|"HTTPS / WSS"| B["Cloudflare Edge"]
    B -->|"Tunnel (encrypted)"| C["Minion VPS (Lightsail)"]
    C --- D[":3001 Fastify API"]
    C --- E[":6080 noVNC (websockify)"]
    C --- F[":7681 ttyd"]

DNS configuration

A CNAME record {minion-id}.minion-agent.com is automatically created for each minion.

WebSocket proxy

HQ’s custom server relays WebSocket connections.

Path	Destination	Purpose
/ws/minion/:id/vnc	Minion port 6080	VNC connection
/ws/minion/:id/terminal/:session	Minion port 7681	Terminal connection

Authentication is performed via JWT, supporting Cookie / Authorization Header / Query Parameter.

Port reference

Minion Server (VPS)

Port	Protocol	Service	Exposure
3001	HTTP	Fastify API	Via Tunnel
6080	WebSocket	noVNC (websockify)	Via Tunnel
7681	WebSocket	ttyd	Via Tunnel

HQ Server (ECS)

Port	Protocol	Service
3000	HTTP / WS	Next.js + WebSocket proxy

Security

• Minion VPS ports are not exposed directly; access is only available via Cloudflare Tunnel
• HQ-to-minion communication is protected by API tokens (Bearer auth)
• WebSocket connections require JWT authentication