Recommended Architecture
For public deployments, a reverse proxy in front of HubProxy is recommended to keep the server secure.
Recommended Topology
Section titled “Recommended Topology”Users → CDN (optional) → Caddy/Nginx (private/local) → HubProxy:5000| Component | Role |
|---|---|
| CDN | Optional TLS termination and edge caching |
| Reverse proxy | TLS, real client IP injection, hide backend port |
| HubProxy | Docker/GitHub proxy logic |
Requirements When Using a Reverse Proxy
Section titled “Requirements When Using a Reverse Proxy”If you follow the recommended topology above (users → proxy → HubProxy):
- Reverse proxy must overwrite
X-Forwarded-For/X-Real-IP(prevent client IP spoofing — never append client-supplied headers) - Preferably make port 5000 reachable only by the proxy (bind
127.0.0.1or firewall) - Overwrite
X-Forwarded-Hostto prevent Host injection in.shscripts
Scenario Comparison
Section titled “Scenario Comparison”| Deployment | Per-user rate limit | IP spoof protection | Rating |
|---|---|---|---|
| CDN → private proxy → HubProxy | ✅ | ✅ | ⭐⭐⭐ |
| Docker Caddy + HubProxy | ✅ | ✅ | ⭐⭐⭐ |
| Local Nginx → HubProxy | ✅ | ✅ | ⭐⭐⭐ |
| Cloudflare direct to HubProxy | ❌ shared CDN IP | ✅ | ⚠️ |
Public 0.0.0.0:5000 |
✅ | ✅ | ⚠️ easily abused |