From 5cb1b8565d534b4bfd413dafe6196390eac37929 Mon Sep 17 00:00:00 2001 From: Xi Xu Date: Fri, 27 Mar 2026 03:21:10 +0800 Subject: [PATCH 1/2] docs: update README and deployment guide for clarity and security recommendations --- README.md | 12 +- README.zh-Hans.md | 23 ++-- README.zh-Hant.md | 7 +- commitlint.config.mjs | 2 +- docs/deploy-on-digitalocean.md | 220 +++++++++++++++++++-------------- 5 files changed, 151 insertions(+), 113 deletions(-) diff --git a/README.md b/README.md index 7f9f2c099..d1cc21b8c 100644 --- a/README.md +++ b/README.md @@ -59,11 +59,12 @@ [![Container Registries](https://img.shields.io/badge/Container%20Registries-262261?logo=opencontainersinitiative&logoColor=white)](#container-registries) [![AI Inference Providers](https://img.shields.io/badge/AI%20Inference%20Providers-94A3B8?logo=openrouter&logoColor=white)](#ai-inference-providers) -Ultra-high-performance, secure, all-in-one acceleration engine for developer -resources that significantly outperforms traditional solutions, delivering -unified, efficient acceleration across code repositories, model and dataset +Xget is an ultra-high-performance, secure, all-in-one acceleration engine for +developer resources. It significantly outperforms traditional solutions and +provides unified, efficient acceleration for code hosting, model and dataset hubs, package registries, container registries, AI inference providers, and -more. +more, while handling caching, retries, security headers, and protocol-specific +compatibility behavior for you. Technical deep dive: **_[Deep Dive into Xget: A High-Performance, Multi-Protocol, and Secure Acceleration Engine for Developer Resources](https://blog.xi-xu.me/en/2025/10/07/Deep-Dive-into-Xget.html)_**. @@ -84,6 +85,9 @@ Xget. **Pre-deployed Instance: `xget.xi-xu.me`** - For evaluation and trial only, deploy your own instance for production or availability-sensitive workloads +> [!WARNING] If you self-host it, put it behind authentication, IP allowlists, +> or both unless you explicitly intend to run a public mirror. + **URL Converter:** [**`xuc.xi-xu.me`**](https://xuc.xi-xu.me) - Convert any supported platform URL to Xget's acceleration format with one click diff --git a/README.zh-Hans.md b/README.zh-Hans.md index 06a37ca38..d40c4ec61 100644 --- a/README.zh-Hans.md +++ b/README.zh-Hans.md @@ -58,7 +58,7 @@ [![容器注册表](https://img.shields.io/badge/容器注册表-262261?logo=opencontainersinitiative&logoColor=white)](#容器注册表) [![AI 推理提供商](https://img.shields.io/badge/AI%20推理提供商-94A3B8?logo=openrouter&logoColor=white)](#ai-推理提供商) -面向开发者资源的超高性能、安全、一体化加速引擎,其性能显著优于传统解决方案,为代码存储库、模型和数据集中心、软件包注册表、容器注册表、AI 推理提供商等提供统一、高效的加速。 +面向开发者资源的超高性能、安全、一体化加速引擎,其性能显著优于传统解决方案,为代码托管、模型和数据集中心、包管理存储库、容器注册表、AI 推理提供商等提供统一、高效的加速,同时替你处理缓存、重试、安全响应头以及协议相关兼容行为。 技术深度解析文章:**[《深入剖析 Xget:一个高性能、多协议、高安全性的开发者资源加速引擎》](https://blog.xi-xu.me/en/2025/10/07/Deep-Dive-into-Xget.html)**。 @@ -70,6 +70,9 @@ Xget 已受邀入驻 **预部署实例:`xget.xi-xu.me`** - 仅适合评估和试用,生产环境或对可用性敏感的场景建议自部署 +> [!WARNING] +> 如果你选择自托管,除非你明确要做公开镜像,否则请至少加上鉴权、IP 白名单,或同时启用两者。 + **URL 转换器:**[**`xuc.xi-xu.me`**](https://xuc.xi-xu.me) - 一键转换任意支持平台的 URL 为 Xget 的加速格式 **Agent Skills:`npx skills add xixu-me/xget`** @@ -102,7 +105,7 @@ Xget 已受邀入驻 - `Permissions-Policy`:默认限制浏览器中的隐私敏感能力 - `X-XSS-Protection`:面向旧浏览器的兼容性响应头 - **请求验证机制**: - - HTTP 方法白名单:常规请求限制为 GET/HEAD,而 Git/LFS、容器镜像仓库、AI 推理和 Hugging + - HTTP 方法白名单:常规请求限制为 GET/HEAD,而 Git/LFS、容器镜像存储库、AI 推理和 Hugging Face API 请求会按需允许 `POST`、`PUT`、`PATCH` 和 `DELETE` - 路径长度限制:防止超长 URL 攻击(最大 2048 字符) - 输入清理:防止路径遍历和注入攻击 @@ -1736,7 +1739,7 @@ composer config -l flatpak remote-add --if-not-exists flathub \ https://dl.flathub.org/repo/flathub.flatpakrepo -# 然后把现有 Flathub 远程仓库改写到 Xget 镜像 +# 然后把现有 Flathub 远程存储库改写到 Xget 镜像 flatpak remote-modify flathub \ --url=https://xget.xi-xu.me/flathub/repo/ @@ -1745,11 +1748,11 @@ flatpak remote-modify flathub \ --url=https://dl.flathub.org/repo/ ``` -Xget 镜像的是 Flathub 的 OSTree 仓库端点。根据当前 Flatpak 客户端的实际行为,直接导入镜像 +Xget 镜像的是 Flathub 的 OSTree 存储库端点。根据当前 Flatpak 客户端的实际行为,直接导入镜像 `.flatpakrepo` -描述文件,或者直接添加镜像仓库 URL,仍然可能回退到上游 Flathub 地址,或者因为未导入签名密钥而失败,因此更可靠的做法是先添加官方 Flathub,再通过 +描述文件,或者直接添加镜像存储库 URL,仍然可能回退到上游 Flathub 地址,或者因为未导入签名密钥而失败,因此更可靠的做法是先添加官方 Flathub,再通过 `flatpak remote-modify ... --url=...` -改写远程地址。若你使用系统级远程仓库,请在相同命令前加上 `sudo`。 +改写远程地址。若你使用系统级远程存储库,请在相同命令前加上 `sudo`。 #### 支持的 Flathub 服务 @@ -1761,7 +1764,7 @@ https://xget.xi-xu.me/flathub/repo/summary.sig https://xget.xi-xu.me/flathub/repo/summary.idx https://xget.xi-xu.me/flathub/repo/summaries/... -# Flatpak 远程仓库描述文件 +# Flatpak 远程存储库描述文件 https://xget.xi-xu.me/flathub/repo/flathub.flatpakrepo # 应用引用描述文件 @@ -1776,13 +1779,13 @@ https://xget.xi-xu.me/flathub/repo/delta-indexes/... #### 使用示例 ```bash -# 确认保存下来的远程仓库 URL 已经指向 Xget +# 确认保存下来的远程存储库 URL 已经指向 Xget flatpak remotes --show-details -# 查看远程仓库内容 +# 查看远程存储库内容 flatpak remote-ls flathub -# 在改写 Flathub 远程仓库后安装应用 +# 在改写 Flathub 远程存储库后安装应用 flatpak install flathub org.gnome.gedit # 直接通过重写后的 .flatpakref 安装 diff --git a/README.zh-Hant.md b/README.zh-Hant.md index 5bfdc8905..26b79c9b2 100644 --- a/README.zh-Hant.md +++ b/README.zh-Hant.md @@ -58,7 +58,7 @@ [![容器註冊表](https://img.shields.io/badge/容器註冊表-262261?logo=opencontainersinitiative&logoColor=white)](#容器註冊表) [![AI 推理供應商](https://img.shields.io/badge/AI%20推理供應商-94A3B8?logo=openrouter&logoColor=white)](#ai-推理供應商) -面向開發者資源的超高效能、安全、一體化加速引擎,其效能顯著優於傳統解決方案,為程式碼儲存庫、模型和資料集中心、軟體包註冊表、容器註冊表、AI 推理供應商等提供統一、高效的加速。 +面向開發者資源的超高效能、安全、一體化加速引擎,其效能顯著優於傳統解決方案,為程式碼託管、模型和資料集中心、軟體包管理儲存庫、容器註冊表、AI 推理供應商等提供統一、高效的加速,同時替你處理快取、重試、安全回應標頭,以及各種協定相容行為。 技術深度解析文章:**[《深入剖析 Xget:一個高效能、多協定、高安全性的開發者資源加速引擎》](https://blog.xi-xu.me/en/2025/10/07/Deep-Dive-into-Xget.html)**。 @@ -70,6 +70,9 @@ Xget 已受邀入駐 **預部署實例:`xget.xi-xu.me`** - 僅適合評估與試用,正式環境或對可用性敏感的場景建議自行部署。 +> [!WARNING] +> 如果你選擇自託管,除非你明確要做公開鏡像,否則請至少加上驗證、IP 白名單,或同時啟用兩者。 + **URL 轉換器:**[**`xuc.xi-xu.me`**](https://xuc.xi-xu.me) - 一鍵轉換任意支援平台的 URL 為 Xget 的加速格式 **Agent Skills:`npx skills add xixu-me/xget`** @@ -103,7 +106,7 @@ Xget 已受邀入駐 - `Permissions-Policy`:預設限制瀏覽器中的隱私敏感能力 - `X-XSS-Protection`:面向舊版瀏覽器的相容性回應標頭 - **請求驗證機制**: - - HTTP 方法白名單:常規請求限制為 GET/HEAD,而 Git/LFS、容器映像倉庫、AI 推理與 Hugging + - HTTP 方法白名單:常規請求限制為 GET/HEAD,而 Git/LFS、容器映像儲存庫、AI 推理與 Hugging Face API 請求會按需允許 `POST`、`PUT`、`PATCH` 和 `DELETE` - 路徑長度限制:防止超長 URL 攻擊(最大 2048 字元) - 輸入清理:防止路徑遍歷和注入攻擊 diff --git a/commitlint.config.mjs b/commitlint.config.mjs index b29b5ae80..2291173ef 100644 --- a/commitlint.config.mjs +++ b/commitlint.config.mjs @@ -1,3 +1,3 @@ export default { - extends: ["@commitlint/config-conventional"], + extends: ['@commitlint/config-conventional'] }; diff --git a/docs/deploy-on-digitalocean.md b/docs/deploy-on-digitalocean.md index fabe0483e..579835cb8 100644 --- a/docs/deploy-on-digitalocean.md +++ b/docs/deploy-on-digitalocean.md @@ -1,12 +1,16 @@ # Deploying and Optimizing Xget on DigitalOcean -Xget itself is shipped as a container image, so it fits very naturally into DigitalOcean’s ecosystem (Droplets, App Platform, Kubernetes, and Container Registry). +Xget itself is shipped as a container image, so it fits very naturally into +DigitalOcean’s ecosystem (Droplets, App Platform, Kubernetes, and Container +Registry). -This guide explains how to run Xget efficiently on DigitalOcean and how to design a simple, robust acceleration layer for your team. +This guide explains how to run Xget efficiently on DigitalOcean and how to +design a simple, robust acceleration layer for your team. ## 1. Which DigitalOcean product should I use for Xget? -Depending on your scale and operations model, you can pick one of these typical setups: +Depending on your scale and operations model, you can pick one of these typical +setups: | Scenario | Recommended option | Characteristics | | ------------------------------------------- | ------------------------------ | ------------------------------------------------------------------- | @@ -14,26 +18,27 @@ Depending on your scale and operations model, you can pick one of these typical | Small / mid-size team, prefer fully managed | App Platform (container mode) | Automatic HTTPS, deployments, and autoscaling | | Large team / enterprise, complex traffic | DigitalOcean Kubernetes (DOKS) | Most flexible; supports fine-grained scaling and rollout strategies | -You can also use DigitalOcean Container Registry (DOCR) for your own Xget builds or to host business images that Xget will accelerate. +You can also use DigitalOcean Container Registry (DOCR) for your own Xget builds +or to host business images that Xget will accelerate. ## 2. Option 1: Droplet + Docker Compose (closest to "plain" self-hosting) ### 2.1 Prerequisites 1. **Create a Droplet** + - Recommended OS: Ubuntu 22.04 / 24.04 LTS. + - Size suggestions: + - Personal / small team: 1 vCPU / 1–2 GB RAM to start with. + - High concurrent downloads: prefer Premium Intel/AMD or CPU-Optimized + Droplets. - * Recommended OS: Ubuntu 22.04 / 24.04 LTS. - * Size suggestions: - - * Personal / small team: 1 vCPU / 1–2 GB RAM to start with. - * High concurrent downloads: prefer Premium Intel/AMD or CPU-Optimized Droplets. - * Region: pick a region close to your main users or to upstream services (e.g., GitHub, GHCR, DOCR). + - Region: pick a region close to your main users or to upstream services + (e.g., GitHub, GHCR, DOCR). 2. **Configure DNS** In DigitalOcean DNS, create a record, for example: - - * `xget.example.com` → your Droplet’s public IP address. + - `xget.example.com` → your Droplet’s public IP address. 3. **Install Docker & Docker Compose (example on Ubuntu)** @@ -67,7 +72,8 @@ You can also use DigitalOcean Container Registry (DOCR) for your own Xget builds ### 2.2 Deploy Xget using Docker Compose -Based on the self-hosting examples in the Xget README, it’s recommended to manage the container via Docker Compose. +Based on the self-hosting examples in the Xget README, it’s recommended to +manage the container via Docker Compose. 1. **Create a directory and `docker-compose.yml`:** @@ -85,7 +91,7 @@ Based on the self-hosting examples in the Xget README, it’s recommended to man container_name: xget # Bind only to 127.0.0.1; expose via reverse proxy ports: - - "127.0.0.1:8080:8080" + - '127.0.0.1:8080:8080' restart: unless-stopped ``` @@ -99,7 +105,8 @@ Based on the self-hosting examples in the Xget README, it’s recommended to man ### 2.3 Expose HTTPS via nginx + Let’s Encrypt -Instead of exposing port 8080 directly, run nginx on the Droplet as a reverse proxy with HTTPS. +Instead of exposing port 8080 directly, run nginx on the Droplet as a reverse +proxy with HTTPS. 1. **Install nginx and Certbot:** @@ -115,7 +122,8 @@ Instead of exposing port 8080 directly, run nginx on the Droplet as a reverse pr 3. **Configure reverse proxy** - Certbot will create a `server` block for you. You can adapt/add configuration like: + Certbot will create a `server` block for you. You can adapt/add configuration + like: ```nginx server { @@ -152,75 +160,78 @@ Instead of exposing port 8080 directly, run nginx on the Droplet as a reverse pr sudo systemctl reload nginx ``` -Now users can access Xget via `https://xget.example.com` through nginx → Xget container. +Now users can access Xget via `https://xget.example.com` through nginx → Xget +container. ### 2.4 Harden security with DigitalOcean Cloud Firewall To reduce attack surface and abuse risk: -* In Cloud Firewalls: +- In Cloud Firewalls: + - Allow inbound only: `22` (SSH), `80` (HTTP) and `443` (HTTPS). + - Do _not_ expose `8080` to the public Internet. - * Allow inbound only: `22` (SSH), `80` (HTTP) and `443` (HTTPS). - * Do *not* expose `8080` to the public Internet. -* If needed, further restrict: - - * Only allow company office IP ranges or CI/CD nodes. - * Combine with a VPN or other gateway if you need more control. +- If needed, further restrict: + - Only allow company office IP ranges or CI/CD nodes. + - Combine with a VPN or other gateway if you need more control. ## 3. Option 2: DigitalOcean App Platform (fully managed) -App Platform can run Xget directly from a container image or source code repo. It handles load balancing, TLS, and autoscaling for you, which is great if you don’t want to manage servers. +App Platform can run Xget directly from a container image or source code repo. +It handles load balancing, TLS, and autoscaling for you, which is great if you +don’t want to manage servers. ### 3.1 Basic flow 1. **Prepare the container image** Two common options: - - * Use the official image: `ghcr.io/xixu-me/xget:latest` - * Or mirror/rebuild Xget into DOCR if you want a private registry or faster internal pulls. + - Use the official image: `ghcr.io/xixu-me/xget:latest` + - Or mirror/rebuild Xget into DOCR if you want a private registry or faster + internal pulls. 2. **Create an App** In the DigitalOcean control panel: + - Create new App → choose "Container". + - Source: + - DigitalOcean Container Registry _or_ + - an external image (`ghcr.io/xixu-me/xget:latest`). - * Create new App → choose "Container". - * Source: - - * DigitalOcean Container Registry *or* - * an external image (`ghcr.io/xixu-me/xget:latest`). - * Set the internal listening port to `8080`. + - Set the internal listening port to `8080`. 3. **Configure routing** - - * Map external path `/` to the Xget service. - * Bind your domain (e.g. `xget.example.com`) to the app and enable automatic HTTPS. + - Map external path `/` to the Xget service. + - Bind your domain (e.g. `xget.example.com`) to the app and enable automatic + HTTPS. 4. **Scaling** - - * In the Scaling section, set minimum number of instances, e.g. 2 replicas for high availability. - * Configure autoscaling based on CPU / memory usage. + - In the Scaling section, set minimum number of instances, e.g. 2 replicas + for high availability. + - Configure autoscaling based on CPU / memory usage. ### 3.2 Pros and caveats -* **Pros** - - * No OS or Docker maintenance. - * Built-in TLS / certificate management. - * Simple scaling and deployment UX. +- **Pros** + - No OS or Docker maintenance. + - Built-in TLS / certificate management. + - Simple scaling and deployment UX. -* **Caveats** - - * Xget is sensitive to large download traffic: you should monitor bandwidth and outbound data transfer costs. - * For advanced network control (VPC-only access, strict firewall rules), combine App Platform with Cloud Firewall and VPC. +- **Caveats** + - Xget is sensitive to large download traffic: you should monitor bandwidth + and outbound data transfer costs. + - For advanced network control (VPC-only access, strict firewall rules), + combine App Platform with Cloud Firewall and VPC. ## 4. Option 3: DigitalOcean Kubernetes (DOKS) -When you need multiple replicas, blue-green deployments, or fine-grained rollout strategies, run Xget on DOKS as a standard `Deployment`. +When you need multiple replicas, blue-green deployments, or fine-grained rollout +strategies, run Xget on DOKS as a standard `Deployment`. ### 4.1 Example Deployment & Service -> Note: the health check path below uses `/`. If your build of Xget exposes a dedicated health endpoint, adjust accordingly. +> Note: the health check path below uses `/`. If your build of Xget exposes a +> dedicated health endpoint, adjust accordingly. ```yaml apiVersion: apps/v1 @@ -244,11 +255,11 @@ spec: - containerPort: 8080 resources: requests: - cpu: "250m" - memory: "256Mi" + cpu: '250m' + memory: '256Mi' limits: - cpu: "1" - memory: "512Mi" + cpu: '1' + memory: '512Mi' readinessProbe: httpGet: path: / @@ -275,17 +286,21 @@ spec: type: LoadBalancer ``` -* `type: LoadBalancer` will automatically create a DigitalOcean Load Balancer and assign a public IP. -* Point `xget.example.com` to the Load Balancer IP in your DNS. +- `type: LoadBalancer` will automatically create a DigitalOcean Load Balancer + and assign a public IP. +- Point `xget.example.com` to the Load Balancer IP in your DNS. -If you are using an Ingress Controller (nginx Ingress, Traefik, etc.), you can change the service type to `ClusterIP` and configure Ingress + cert-manager for Let’s Encrypt. +If you are using an Ingress Controller (nginx Ingress, Traefik, etc.), you can +change the service type to `ClusterIP` and configure Ingress + cert-manager for +Let’s Encrypt. ## 5. Using DOCR + Xget as an image accelerator -Xget can act as a registry accelerator for multiple container registries, including DigitalOcean Container Registry (DOCR). The typical pattern is: +Xget can act as a registry accelerator for multiple container registries, +including DigitalOcean Container Registry (DOCR). The typical pattern is: -* Original: `https://registry.digitalocean.com/...` -* Through Xget: `https:///cr/digitalocean/...` +- Original: `https://registry.digitalocean.com/...` +- Through Xget: `https:///cr/digitalocean/...` ### 5.1 Example: accelerate DOCR pulls @@ -301,27 +316,31 @@ You can convert it to: https://xget.example.com/cr/digitalocean/my-registry/my-image:latest ``` -This is especially useful for scripting, diagnostic, or advanced caching setups around DOCR. +This is especially useful for scripting, diagnostic, or advanced caching setups +around DOCR. ### 5.2 Using Xget as a pull accelerator (daemon.json idea) -In some environments you can configure Docker / containerd to use Xget as a registry mirror. For example, in `/etc/docker/daemon.json`: +In some environments you can configure Docker / containerd to use Xget as a +registry mirror. For example, in `/etc/docker/daemon.json`: ```json { - "registry-mirrors": [ - "https://xget.example.com/cr/digitalocean" - ] + "registry-mirrors": ["https://xget.example.com/cr/digitalocean"] } ``` -> Note: Support for non–Docker Hub mirrors depends on the Docker/containerd version and configuration. Treat this as a pattern; always verify behavior in your own environment. +> Note: Support for non–Docker Hub mirrors depends on the Docker/containerd +> version and configuration. Treat this as a pattern; always verify behavior in +> your own environment. ## 6. Using Xget on DigitalOcean to accelerate AI inference and dev dependencies -Xget also supports API acceleration for multiple AI inference providers (e.g., OpenAI, Anthropic, Gemini) through URL conversions such as `ip/`. +Xget also supports API acceleration for multiple AI inference providers (e.g., +OpenAI, Anthropic, Gemini) through URL conversions such as `ip/`. -Once Xget is deployed on DigitalOcean, simply replace the public demo domain in examples with your own domain: +Once Xget is deployed on DigitalOcean, simply replace the public demo domain in +examples with your own domain: ```env # .env example @@ -342,42 +361,51 @@ client = OpenAI( ) ``` -If your CI/CD pipelines or backend services also run on DigitalOcean (Droplets, App Platform, DOKS), they can access Xget very close in network topology, reducing latency and cross-region hops. +If your CI/CD pipelines or backend services also run on DigitalOcean (Droplets, +App Platform, DOKS), they can access Xget very close in network topology, +reducing latency and cross-region hops. ## 7. Monitoring, logging, and cost optimization 1. **Monitoring** - - * **Droplet**: Install the DigitalOcean Monitoring Agent to track CPU, memory, and bandwidth. - * **App Platform / DOKS**: Use the built-in metrics views and alerts. - * At the application level, you can inspect Xget’s response headers (e.g., performance metrics) to understand cache hits and upstream delays if Xget exposes such information in your setup. + - **Droplet**: Install the DigitalOcean Monitoring Agent to track CPU, + memory, and bandwidth. + - **App Platform / DOKS**: Use the built-in metrics views and alerts. + - At the application level, you can inspect Xget’s response headers (e.g., + performance metrics) to understand cache hits and upstream delays if Xget + exposes such information in your setup. 2. **Logging** - - * Use `docker logs` or `kubectl logs` to inspect Xget container logs. - * Aggregate nginx / Ingress logs plus Xget logs into a centralized stack (ELK, Loki, etc.) for easier debugging. + - Use `docker logs` or `kubectl logs` to inspect Xget container logs. + - Aggregate nginx / Ingress logs plus Xget logs into a centralized stack + (ELK, Loki, etc.) for easier debugging. 3. **Cost optimization** + - Start with a smaller Droplet or the lowest App Platform plan, then scale + based on real traffic. + - For very high outbound traffic, focus on: + - Improving cache hit ratio. + - Avoiding redundant upstream requests. - * Start with a smaller Droplet or the lowest App Platform plan, then scale based on real traffic. - * For very high outbound traffic, focus on: - - * Improving cache hit ratio. - * Avoiding redundant upstream requests. - * Choose regions that balance: - - * End-user latency. - * Upstream connectivity quality (e.g., to GitHub, DOCR, AI providers). + - Choose regions that balance: + - End-user latency. + - Upstream connectivity quality (e.g., to GitHub, DOCR, AI providers). ## 8. Security and abuse prevention -Because Xget is fundamentally a high-performance HTTP / Git / container registry proxy, you need to be careful about abuse: - -* Do not expose a completely open, unauthenticated Xget service to the entire public Internet if you don’t fully understand the risk. -* Recommended mitigations: - - * Restrict access to trusted IP ranges (office network, VPN, CI/CD nodes). - * Add authentication at the reverse proxy or gateway layer (e.g., Basic Auth, token-based, or JWT). - * Configure reasonable timeouts and concurrency limits to reduce the impact of misuse and protect upstreams. - -With these patterns, you can deploy Xget on DigitalOcean using Droplets, App Platform, or Kubernetes, and combine it with DOCR, DNS, and firewalls to build a unified, robust acceleration layer for repositories, container images, and AI inference traffic. +Because Xget is fundamentally a high-performance HTTP / Git / container registry +proxy, you need to be careful about abuse: + +- Do not expose a completely open, unauthenticated Xget service to the entire + public Internet if you don’t fully understand the risk. +- Recommended mitigations: + - Restrict access to trusted IP ranges (office network, VPN, CI/CD nodes). + - Add authentication at the reverse proxy or gateway layer (e.g., Basic Auth, + token-based, or JWT). + - Configure reasonable timeouts and concurrency limits to reduce the impact of + misuse and protect upstreams. + +With these patterns, you can deploy Xget on DigitalOcean using Droplets, App +Platform, or Kubernetes, and combine it with DOCR, DNS, and firewalls to build a +unified, robust acceleration layer for repositories, container images, and AI +inference traffic. From 580d61a38e4e06d80192afdda7b54f9b1b5f10f5 Mon Sep 17 00:00:00 2001 From: Xi Xu Date: Fri, 27 Mar 2026 03:23:26 +0800 Subject: [PATCH 2/2] docs: improve warning message formatting in README for self-hosting instructions --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d1cc21b8c..e02e34d6a 100644 --- a/README.md +++ b/README.md @@ -85,7 +85,8 @@ Xget. **Pre-deployed Instance: `xget.xi-xu.me`** - For evaluation and trial only, deploy your own instance for production or availability-sensitive workloads -> [!WARNING] If you self-host it, put it behind authentication, IP allowlists, +> [!WARNING] +> If you self-host it, put it behind authentication, IP allowlists, > or both unless you explicitly intend to run a public mirror. **URL Converter:** [**`xuc.xi-xu.me`**](https://xuc.xi-xu.me) - Convert any