>[!NOTE]- Notes >- CDN usage is **OPTIONAL**. >- Content crossing the *Corporate Environment* network boundary is _always_ obfuscated. >- The [[Transfer Server|transfer server]] is responsible for: > - Obfuscating files being downloaded. > - Deobfuscating files being uploaded before writing them to the webroot. >- The [[Client|client]] (Beachhead Web Browser) is responsible for the following via WASM: > - Deobfuscating files being downloaded. > - Obfuscating files being uploaded. ```mermaid flowchart subgraph sg-cloudfront[Cloudfront CDN] cf-listener(443/tls) end subgraph sg-vps[VPS] subgraph sg-skyhook[Skyhook Servers] admin-listener(Admin Server<br>45000/tls) transfer-listener(Transfer Server<br>45001/tls) end config-file(Config File<br>/var/skyroot/config.yml) admin-listener -..->|Reads &<br>Manages| config-file webroot(Webroot<br>/var/skyhook/webroot) transfer-listener -..->|Serves From &<br>Writes Cleartext<br>Files To| webroot end op-browser(Operator<br>Web Browser) -->|Administration<br>Traffic| admin-listener op-browser <-->|Obfuscated<br>Data| transfer-listener subgraph sg-corp[Corporate Environment] subgraph sg-compromised[Beachhead Host] comp-browser(Web Browser) -->|Reads &<br>Writes| cleartext-file(Cleartext Files) end end comp-browser <-->|Obfuscated<br>Data| cf-listener <-->|Obfuscated<br>Data| transfer-listener ```