Free GitHub and Docker Hub Proxy Using Cloudflare Workers

Wapuu
1

Background

Domestic servers cannot directly access GitHub and Docker Hub. This article explains how to set up your own proxy using the free tier of Cloudflare Workers—zero cost and fully under your control.

GitHub Proxy

The Worker receives incoming requests, determines the target based on the request path, and proxies them to either github.com or raw.githubusercontent.com, then returns the response. Running on Cloudflare’s edge nodes, it is unaffected by network restrictions.

Deployment: Install Wrangler → Write the Worker code → Add an AAAA DNS record (100::) for your domain → Run wrangler deploy.

Usage Examples:

  • Downloading a release: curl -L https://your-proxy-domain/github.com/.../v1.0/file.tar.gz
  • Fetching raw files: curl https://your-proxy-domain/raw.githubusercontent.com/.../README.md

Real-world test: Downloading an 11 MB file from Tencent Cloud Guangzhou took 5 seconds via the proxy; direct connection timed out.

Docker Hub Proxy

The Worker proxies Registry v2 requests and rewrites the authentication URL in 401 responses to point to itself, enabling clients to complete authentication through the proxy.

Core Workflow:

  1. /v2/ request → proxied to Docker Hub → receives 401 → rewrite authentication URL
  2. Client obtains token via the proxy
  3. Client uses the token to fetch manifest and blob
  4. When redirecting blob requests to CDN, remove the Authorization header

Podman Configuration: Add a mirror configuration pointing to your proxy domain in registries.conf.d.

Note: Docker Hub’s anonymous rate limit is 100 pulls per 6 hours; we recommend combining this proxy with other mirrors.

Cost

The Workers free tier allows up to 100,000 requests per day, with no outbound bandwidth charges.

Common Pitfalls & Solutions

  1. workers.dev domains are blocked in mainland China—you must bind a custom domain.
  2. The Authorization header must be removed when redirecting blob requests to CDN; otherwise, CDN returns HTTP 403.
  3. Even /v2/ ping requests return 401—authentication URL rewriting must be applied uniformly.
  4. Use an AAAA DNS record (100::) with Cloudflare’s orange-cloud (proxy) enabled.

The full implementation is ~80 lines of JavaScript, centered around fetch-based proxying and header manipulation. Feel free to reply with questions or feedback!