>[!NOTE]- Notes
>- CDN usage is **OPTIONAL**.
>- Content crossing the *Corporate Environment* network boundary is _always_ obfuscated.
>- The [[Transfer Server|transfer server]] is responsible for:
> - Obfuscating files being downloaded.
> - Deobfuscating files being uploaded before writing them to the webroot.
>- The [[Client|client]] (Beachhead Web Browser) is responsible for the following via WASM:
> - Deobfuscating files being downloaded.
> - Obfuscating files being uploaded.
```mermaid
flowchart
subgraph sg-cloudfront[Cloudfront CDN]
cf-listener(443/tls)
end
subgraph sg-vps[VPS]
subgraph sg-skyhook[Skyhook Servers]
admin-listener(Admin Server<br>45000/tls)
transfer-listener(Transfer Server<br>45001/tls)
end
config-file(Config File<br>/var/skyroot/config.yml)
admin-listener -..->|Reads &<br>Manages| config-file
webroot(Webroot<br>/var/skyhook/webroot)
transfer-listener -..->|Serves From &<br>Writes Cleartext<br>Files To| webroot
end
op-browser(Operator<br>Web Browser) -->|Administration<br>Traffic| admin-listener
op-browser <-->|Obfuscated<br>Data| transfer-listener
subgraph sg-corp[Corporate Environment]
subgraph sg-compromised[Beachhead Host]
comp-browser(Web Browser) -->|Reads &<br>Writes| cleartext-file(Cleartext Files)
end
end
comp-browser <-->|Obfuscated<br>Data| cf-listener <-->|Obfuscated<br>Data| transfer-listener
```