feat(agent): use multistream and yamux muxer instead of HTTP server

This change replaces the legacy per-connection HTTP/revdial
reverse-tunnel flow with a multiplexed, per-stream protocol (v2) based
on HashiCorp's yamux and multistream-select.

Yamux sessions allow a single agent websocket to host many logical
streams without repeating the HTTP reverse-listen handshake for each
session. Multistream-select provides explicit per-stream protocol
negotiation, making each logical stream's intent (SSH open/close, HTTP
proxy) explicit and versionable. The new approach reduces handshake
overhead and makes future protocol extensions easier and safer.

Over time the legacy reverse-tunnel implementation (per-request
HTTP/revdial) has become a maintenance burden and a performance limiter:
each logical session required a full HTTP handshake and a separate
reverse listener, which increased latency and duplicated logic across
server components. This change replaces that model with a single
multiplexed transport per agent using HashiCorp's yamux, and introduces
explicit per-stream protocol negotiation via multistream-select.

Practically, when an agent connects we now bind its websocket to a yamux
session (Manager.Bind) and keep that session alive with a light ping
loop. Individual logical operations—opening an SSH session, closing it,
or proxying HTTP—are created as yamux streams. Each stream negotiates
its intent using multistream identifiers (`/ssh/open/1.0.0`,
`/ssh/close/1.0.0`, `/http/proxy/1.0.0`) and then exchanges a small JSON
envelope for any parameters. The dialer package centralizes version
handling and prepares connections for callers via DialTo(ctx, tenant,
uid, target), while Target implementations encapsulate the
version-specific bootstrap (legacy HTTP v1 vs yamux+multistream v2).

We kept backward compatibility in mind: the Manager still recognizes
existing revdial-based connections and will return a v1 connection when
appropriate. That lets the system run both v1 and v2 agents concurrently
and supports staged rollouts. I also removed the duplicated tunnel
wiring and replaced it with a focused HTTP sidecar (http) that exposes
both the legacy endpoints and the new v2 bind endpoint; server and
session code now call into dialer.Dialer and Target helpers rather than
performing raw HTTP handshakes.

Author: henrybarreto

agent/go.mod

@@ -40,12 +40,15 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/labstack/echo/v4 v4.10.2 // indirect
 	github.com/leodido/go-urn v1.2.2 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/multiformats/go-multistream v0.6.1 // indirect
+	github.com/multiformats/go-varint v0.0.6 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/openwall/yescrypt-go v1.0.0 // indirect

agent/go.sum

@@ -53,6 +53,8 @@ github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWm
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM=
+github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
+github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jarcoal/httpmock v1.3.1 h1:iUx3whfZWVf3jT01hQTO/Eo5sAYtB2/rqaUuOtpInww=
@@ -82,6 +84,10 @@ github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/multiformats/go-multistream v0.6.1 h1:4aoX5v6T+yWmc2raBHsTvzmFhOI8WVOer28DeBBEYdQ=
+github.com/multiformats/go-multistream v0.6.1/go.mod h1:ksQf6kqHAb6zIsyw7Zm+gAuVo57Qbq84E27YlYqavqw=
+github.com/multiformats/go-varint v0.0.6 h1:gk85QWKxh3TazbLxED/NlDVv8+q+ReFJk7Y2W/KhfNY=
+github.com/multiformats/go-varint v0.0.6/go.mod h1:3Ls8CIEsrijN6+B7PbrXRPxHRPuXSrVKRY101jdMZYE=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=

gateway/nginx/conf.d/shellhub.conf

@@ -368,6 +368,29 @@ server {
         proxy_redirect off;
     }
 
+    location /connection {
+        set $upstream ssh:8080;
+
+        auth_request /auth;
+        auth_request_set $tenant_id $upstream_http_x_tenant_id;
+        auth_request_set $device_uid $upstream_http_x_device_uid;
+        proxy_pass http://$upstream;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        {{ if $cfg.EnableProxyProtocol -}}
+        proxy_set_header X-Real-IP $proxy_protocol_addr;
+        {{ else -}}
+        proxy_set_header X-Real-IP $x_real_ip;
+        {{ end -}}
+        proxy_set_header X-Device-UID $device_uid;
+        proxy_set_header X-Tenant-ID $tenant_id;
+        proxy_set_header X-Request-ID $request_id;
+        proxy_http_version 1.1;
+        proxy_cache_bypass $http_upgrade;
+        proxy_redirect off;
+    }
+
     location /ssh/auth {
         set $upstream api:8080;
 

go.mod

@@ -17,11 +17,13 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.0
+	github.com/hashicorp/yamux v0.1.2
 	github.com/hibiken/asynq v0.24.1
 	github.com/jarcoal/httpmock v1.3.1
 	github.com/labstack/echo/v4 v4.10.2
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/mholt/archiver/v4 v4.0.0-alpha.8
+	github.com/multiformats/go-multistream v0.6.1
 	github.com/openwall/yescrypt-go v1.0.0
 	github.com/oschwald/geoip2-golang v1.8.0
 	github.com/pkg/errors v0.9.1
@@ -85,6 +87,7 @@ require (
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/multiformats/go-varint v0.0.6 // indirect
 	github.com/nwaples/rardecode/v2 v2.0.0-beta.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect