SSH-LINK Server Documentation

Server documentation

Relay server and APISIX deployment

The Server is the WebSocket relay and REST API used by both Manager and Agent. It runs as a Docker image behind APISIX on the Ubuntu host.

What this page is for: Understand what runs on the Ubuntu server, which image is pulled, how APISIX routes traffic, and which config/API surfaces the relay exposes.

Production endpoints

Relay API: https://relay.kvasetech.com

Documentation site: https://sshlink.kvasetech.com

Health check: https://relay.kvasetech.com/healthz

Container image

The Ubuntu host pulls the prebuilt image from GitHub Container Registry. It should not compile the server locally.

ghcr.io/kjellmagne/ssh-link-server:latest

Update command

Run this on the Ubuntu host after GitHub Actions publishes a new image.

cd /opt/ssh-link
sh deploy/ubuntu/update-server.sh

APISIX route

APISIX terminates TLS and routes relay.kvasetech.com to the server container on the shared Docker network.

export APISIX_ADMIN_KEY="..."
sh deploy/apisix/apply-route.sh

Server config

The mounted YAML file defines bind address, public URL, manager tokens, agent tokens, RBAC rules, session limits, keepalive intervals, and audit logging.

/opt/ssh-link/configs/server.yaml

State model

v1 uses in-memory online/session state. Connected agents and active sessions disappear on server restart. Tokens and RBAC live in config.

Public interfaces

REST and WebSocket surfaces

Manager REST API

GET    /api/agents
POST   /api/sessions
GET    /api/sessions/{session_id}
DELETE /api/sessions/{session_id}

WebSocket channels

/api/agent/connect
/api/sessions/{session_id}/connect
/api/agent/sessions/{session_id}/stream

Health checks

GET /healthz
GET /readyz

Payload model

Control messages use JSON. Tunnel payloads use binary WebSocket frames for raw TCP bytes.