Skip to content

Recommended Architecture

For public deployments, a reverse proxy in front of HubProxy is recommended to keep the server secure.

Users → CDN (optional) → Caddy/Nginx (private/local) → HubProxy:5000
Component Role
CDN Optional TLS termination and edge caching
Reverse proxy TLS, real client IP injection, hide backend port
HubProxy Docker/GitHub proxy logic

If you follow the recommended topology above (users → proxy → HubProxy):

  1. Reverse proxy must overwrite X-Forwarded-For / X-Real-IP (prevent client IP spoofing — never append client-supplied headers)
  2. Preferably make port 5000 reachable only by the proxy (bind 127.0.0.1 or firewall)
  3. Overwrite X-Forwarded-Host to prevent Host injection in .sh scripts
Deployment Per-user rate limit IP spoof protection Rating
CDN → private proxy → HubProxy ⭐⭐⭐
Docker Caddy + HubProxy ⭐⭐⭐
Local Nginx → HubProxy ⭐⭐⭐
Cloudflare direct to HubProxy ❌ shared CDN IP ⚠️
Public 0.0.0.0:5000 ⚠️ easily abused