MokoConsulting/MokoGitea-APP
1
0
Fork 0
Code Issues 158 Pull Requests 3 Releases 96 Wiki Activity

feat(cdn): built-in CDN for release asset delivery #565

Merged
jmiller merged 1 commits from feat/cdn-release-delivery into dev 2026-06-07 16:12:50 +00:00
Conversation 0 Commits 1 Files Changed 10
+378 -2
jmiller commented 2026-06-07 16:08:53 +00:00
Owner
Copy Link
Copy Source

Summary

  • Add built-in CDN system that serves release assets via a dedicated hostname with per-asset visibility controls
  • Per-attachment cdn_public toggle in the release editor
  • Releases assigned to update streams are excluded from CDN (update server takes precedence)
  • IP/CIDR and referrer domain allowlists for abuse prevention

Closes #561

Details

  • Host-based routing in BeforeRouting intercepts requests on the CDN domain before any auth/session middleware
  • New cdn_public column on attachment table (migration v351)
  • CDN handler serves only public repos, non-draft releases, non-streamed releases
  • ETag, Cache-Control, CORS headers for downstream CDN compatibility (Cloudflare, nginx)
  • CDN toggle disabled in UI when release has an update stream assignment
  • Configurable via [cdn] section in app.ini

Test plan

  • Verify build compiles on server
  • Configure [cdn] in app.ini with DOMAIN set
  • Create a release with an asset, toggle CDN public
  • Access asset via CDN hostname URL
  • Verify 403 for non-CDN-public assets
  • Verify 403 for releases with update stream
  • Verify 304 Not Modified with ETag
  • Test IP allowlist blocks unauthorized IPs
## Summary - Add built-in CDN system that serves release assets via a dedicated hostname with per-asset visibility controls - Per-attachment `cdn_public` toggle in the release editor - Releases assigned to update streams are excluded from CDN (update server takes precedence) - IP/CIDR and referrer domain allowlists for abuse prevention Closes #561 ## Details - Host-based routing in `BeforeRouting` intercepts requests on the CDN domain before any auth/session middleware - New `cdn_public` column on `attachment` table (migration v351) - CDN handler serves only public repos, non-draft releases, non-streamed releases - ETag, Cache-Control, CORS headers for downstream CDN compatibility (Cloudflare, nginx) - CDN toggle disabled in UI when release has an update stream assignment - Configurable via `[cdn]` section in app.ini ## Test plan - [ ] Verify build compiles on server - [ ] Configure `[cdn]` in app.ini with DOMAIN set - [ ] Create a release with an asset, toggle CDN public - [ ] Access asset via CDN hostname URL - [ ] Verify 403 for non-CDN-public assets - [ ] Verify 403 for releases with update stream - [ ] Verify 304 Not Modified with ETag - [ ] Test IP allowlist blocks unauthorized IPs
jmiller added 1 commit 2026-06-07 16:08:54 +00:00
feat(cdn): built-in CDN for release asset delivery (#561)
Generic: Repo Health / Scripts governance (push) Blocked by required conditions
Details
Generic: Repo Health / Repository health (push) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (push) Blocked by required conditions
Details
Generic: Repo Health / Site Health (push) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 2s
Details
Universal: PR Check / Build RC Package (pull_request) Blocked by required conditions
Details
Universal: PR Check / Report Issues (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Scripts governance (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Repository health (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Branch Policy Check / Verify merge target (pull_request) Successful in 1s
Details
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Details
Generic: Repo Health / Access control (pull_request) Successful in 2s
Details
PR RC Release / Build RC Release (pull_request) Successful in 3s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 8s
Details
Branch Cleanup / Delete merged branch (pull_request) Failing after 1s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || 'development' }}) (pull_request) Successful in 2m55s
Details
37d59e7b59 
Add CDN system that serves release assets via a dedicated hostname
(e.g., cdn.mokoconsulting.tech) with per-asset public/private toggles,
IP/referrer allowlists, and aggressive caching headers.

- Host-based routing intercepts CDN domain before auth middleware
- Per-attachment cdn_public flag controls CDN visibility
- Releases in an update stream are excluded from CDN (update server takes precedence)
- CORS, ETag, Cache-Control headers for downstream CDN compatibility
- IP/CIDR and referrer domain allowlists for abuse prevention
jmiller merged commit 78803e60df into dev 2026-06-07 16:12:50 +00:00
jmiller deleted branch feat/cdn-release-delivery 2026-06-07 16:12:51 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels
Priority -
Type -
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-APP#565
Delete Branch "feat/cdn-release-delivery"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?