Software Architecture

This chapter has documentation on the software architecture

WebSockets Information and Design

PatchMon WebSockets

This document describes how WebSockets are used in PatchMon: endpoints, authentication, WS vs WSS behaviour, and security.


Overview

PatchMon uses a single HTTP server with noServer: true WebSocket handling. All WebSocket upgrades are handled in one place (server.on("upgrade")) and routed by path:

Path pattern Purpose Clients
/api/{v}/agents/ws Agent ↔ server persistent connection PatchMon agent (Go)
/api/{v}/ssh-terminal/:hostId Browser SSH terminal to a host Frontend (browser)
/bullboard* Bull Board queue UI real-time updates Bull Board (browser)

Implementation lives in:


WebSocket Endpoints

Agent WebSocket

SSH Terminal WebSocket

Bull Board WebSocket


WS vs WSS (Secure vs Insecure)

How each part of the system decides between ws (insecure) and wss (secure):

Server (backend)

The server does not choose the protocol; it detects whether the incoming connection is secure and records it for logging and metadata:

So: if the client connects over TLS, or the proxy sets X-Forwarded-Proto: https, the server treats the connection as secure (wss). Otherwise it is treated as ws.

Code: backend/src/services/agentWs.js (e.g. isSecure, connectionMetadata, log line with protocol=wss|ws).

Agent (Go)

The agent converts the configured server URL to a WebSocket URL and uses that to connect:

Configured URL WebSocket URL
https://... wss://...
http://... ws://...
Already wss:// or ws:// Used as-is
No protocol Assumed HTTPS → wss://...

The path is then appended: .../api/{version}/agents/ws.

Code: agent-source-code/cmd/patchmon-agent/commands/serve.go (connectOnce, URL conversion and wsURL).

Frontend (browser)

The frontend (e.g. SSH terminal) builds the WebSocket URL so it matches the page:

So the same app works on http and https without extra configuration.

Code: frontend/src/components/SshTerminal.jsx (e.g. protocol = window.location.protocol === "https:" ? "wss:" : "ws:").


Authentication

All three paths reject the upgrade (e.g. 401) if auth fails; the WebSocket is never established.


Message Types and Flows


Security Notes