PLATFORM CAPABILITIES
Everything you need tobuild & scale
ArylLabs provides a complete suite of tools to host, scale, and secure your web applications. From intelligent Edge architecture to seamless Git integration.
Google Drive Hosting
Turn any Google Drive folder into a blazing-fast website instantly. No servers to configure.
- Auto-sync updates
- Shared folders support
- Media optimization
GitHub Integration
Seamless CI/CD pipeline. Push to your repository and watch your site build and deploy automatically.
- Branch previews
- Build logs
- Custom domains per branch
Global Edge Network
Your content is cached and served from hundreds of points of presence worldwide for sub-50ms latency.
- Smart routing
- Automatic compression
- Anycast network
Enterprise Security
Every deployment includes free, automatic SSL certificates and powerful DDoS mitigation built-in.
- Free custom SSL
- DDoS protection
- Web Application Firewall
Real-time Analytics
Understand your audience with privacy-friendly, deeply integrated analytics out of the box.
- Visitor metrics
- Top pages & referrers
- Zero config required
Framework Support
First-class support for modern frontend frameworks including Next.js, React, Vue, and plain HTML.
- Next.js App Router
- Static Site Generation
- SPA routing
INFRASTRUCTURE
Built for performance.
Optimized for humans.
We handle the complexities of server maintenance, edge caching, and security so you can focus entirely on writing great code and creating beautiful experiences.
Zero Configuration
No complex YAML files or server setup required. It just works.
Instant Rollbacks
Revert your deployments to any previous state in a matter of seconds.
Custom Domains
Bring your own domain and we'll automatically provision SSL certificates.
Status
All Systems Operational
Latency
12ms avg
→ Deploying project...
→ Building optimized assets: 100%
→ Provisioning SSL certificate... Done
→ Propagating to Edge network...
✓ Deployed successfully in 4.2s
TECHNICAL DEEP DIVE
Infrastructure Pipelines
Five visualized infrastructure flowcharts for the core ArylHive platform. Every diagram is based on our real production architecture.
PIPELINE 1
🗂️ Google Drive Pipeline
Blazing-fast origin proxying converts private Google Drive folders into high-performance web experiences via OAuth2 Cloud Proxying.
Architecture Overview
flowchart TB
User((End User))
Dashboard[ArylHive Dashboard]
API[ArylHive API Worker]
subgraph Auth
OAuth2[Google OAuth 2.0]
JWT[JWT Session Manager]
end
subgraph Edge["Cloudflare Edge (300+ PoPs)"]
Worker[CF Worker — Site Server]
EdgeCache[Edge Cache Layer]
end
subgraph Storage
Drive[Google Drive API v3]
Turso[Turso DB — Previews Table]
end
User -- "1. Connect Drive" --> Dashboard
Dashboard -- "2. OAuth2 Consent" --> OAuth2
OAuth2 -- "3. Access Token + Refresh Token" --> API
API -- "4. Store Tokens (Encrypted)" --> Turso
User -- "5. Visit site.aryl.app" --> Worker
Worker -- "6. Lookup Route Metadata" --> Turso
Worker -- "7. Check Edge Cache" --> EdgeCache
Worker -- "8. Fetch via Drive API (OAuth2)" --> Drive
Drive -- "9. Stream File Content" --> Worker
Worker -- "10. Proxy Response + Cache" --> User
Request Lifecycle (Visualized)
When a visitor opens https://my-site.aryl.app/index.html (a Google Drive-hosted site):
sequenceDiagram
participant Visitor
participant Worker as CF Worker (Edge)
participant Cache as Edge Cache (Cloudflare)
participant Turso as Turso DB
participant Drive as Google Drive API v3
participant Collapse as Request Collapsing Map
Visitor->>Worker: GET https://my-site.aryl.app/index.html
Worker->>Turso: SELECT * FROM previews WHERE subdomain = 'my-site'
Turso-->>Worker: Return provider='google-drive', folder_id, tokens
Worker->>Cache: cache.match(request)
alt Cache HIT
Cache-->>Visitor: 200 OK (Cached Asset, 0 origin fetches)
else Cache MISS
Worker->>Collapse: Check pendingSiteRequests map
alt Concurrent request in-flight
Collapse-->>Worker: Re-use pending Promise
else No pending request
Worker->>Drive: GET file by path (OAuth2 Bearer Token)
Drive-->>Worker: Raw byte stream (chunked)
Worker->>Worker: Inject correct Content-Type via MIME detection
Worker->>Worker: Set Cache-Control headers (24h static / 1h HTML)
Worker->>Cache: cache.put (non-blocking)
end
Worker-->>Visitor: 200 OK (Proxied Stream)
end
Key Technical Decisions
| Decision | Rationale |
|---|---|
| Read-only OAuth scopes | Only drive.readonly for the specific folder; user's full Drive is never exposed |
| Refresh token auto-rotation | Tokens are refreshed server-side; user never re-authenticates unless revoked |
| MIME-type intelligence | Drive often returns generic MIME types; the Worker detects correct types via file extension + magic bytes |
| Request collapsing | In-memory pendingSiteRequests Map prevents thundering herd — concurrent requests for the same file reuse a single Drive API call |
PIPELINE 2
🐙 GitHub Deployment Pipeline
Next-gen deployment pipeline featuring Content-Addressable Storage (CAS) for perfect deduplication and instant rollbacks.
Architecture Overview
flowchart TB
Dev((Developer))
GitHub[GitHub Repository]
subgraph ArylHive["ArylHive Platform"]
Dashboard[Dashboard UI]
API[API Worker]
BuildEngine[Build Engine — Hive Build Worker]
end
subgraph CI["Continuous Deployment"]
Webhook[GitHub Webhook Listener]
Builder[Build Runner — npm / Vite / Next.js]
end
subgraph Storage["Deployment Storage"]
B2[Backblaze B2 — CAS Objects]
Manifest[B2 — Deployment Manifests]
Turso[Turso DB — Deployments Table]
end
subgraph Edge["Cloudflare Edge"]
Worker[CF Worker — Site Server]
EdgeCache[Edge Cache]
end
Dev -- "1. git push" --> GitHub
GitHub -- "2. Webhook Event (push)" --> Webhook
Webhook -- "3. Trigger Build" --> BuildEngine
BuildEngine -- "4. Clone + npm install + build" --> Builder
Builder -- "5. Upload CAS Chunks (deduplicated)" --> B2
Builder -- "6. Write Manifest (file→hash mapping)" --> Manifest
Builder -- "7. Record Deployment" --> Turso
Builder -- "8. Purge + Pre-warm Edge Cache" --> EdgeCache
Dev -- "9. Visit site.aryl.app" --> Worker
Worker -- "10. Resolve Deployment" --> Turso
Worker -- "11. Fetch via Manifest → CAS" --> B2
Worker -- "12. Serve from Edge Cache" --> EdgeCache
Deployment Lifecycle (Visualized)
From git push to live site in under 60 seconds:
sequenceDiagram
participant Dev as Developer
participant GH as GitHub
participant Webhook as CF Worker (Webhook)
participant DB as Turso DB
participant Build as Hive Build Worker
participant B2 as Backblaze B2
participant Cache as Edge Cache
participant Visitor
Dev->>GH: git push origin main
GH->>Webhook: POST /api/github/webhook (push event)
Webhook->>DB: Lookup linked project by installation_id + repo
DB-->>Webhook: project_id, preview_id, build_command, output_dir
Webhook->>Build: Dispatch async build job
Build->>GH: Clone repository (GitHub Contents API)
Build->>Build: npm install → npm run build
Build->>Build: Hash each output file (SHA-256)
Build->>B2: Upload only NEW chunks (deduplication)
Build->>B2: Write manifest (cas:deployId.json)
Build->>DB: INSERT deployment (status='success', folder_id='cas:...')
Build->>Cache: Purge old edge cache entries
Build->>Cache: Pre-warm critical paths (/index.html, /404.html)
Visitor->>Cache: GET https://site.aryl.app/
alt Cache HIT
Cache-->>Visitor: 200 OK (Edge-cached)
else Cache MISS
Cache->>B2: Fetch CAS object by hash
B2-->>Cache: File content
Cache-->>Visitor: 200 OK
end
Key Technical Decisions
| Decision | Rationale |
|---|---|
| Content-Addressable Storage (CAS) | Files stored by SHA-256 hash — identical files across deployments are never stored twice, dramatically reducing storage costs |
| Manifest-based routing | Each deployment has a JSON manifest mapping path → hash, enabling instant atomic rollbacks |
| Edge cache purge + pre-warm | On each deploy, old cache is purged and critical paths are pre-warmed to eliminate cold starts |
| GitHub App installation model | Uses GitHub Apps (not personal tokens) for secure, fine-grained repo access with automatic webhook registration |
| CAS garbage collection | Periodic CRON job compares all CAS objects against active manifests and deletes orphans |
PIPELINE 3
🌐 CDN Pipeline
Low-latency global delivery network with 300+ PoPs, Anycast routing, and multi-tier caching for sub-10ms performance.
Architecture Overview
flowchart TB
Visitor((Global Visitor))
subgraph Cloudflare["Cloudflare Anycast Network (300+ PoPs)"]
DNS[Anycast DNS Resolution]
Edge[Nearest Edge PoP]
WAF[Web Application Firewall]
DDoS[L3/4/7 DDoS Shield — 100+ Tbps]
end
subgraph Caching["Multi-Tier Cache"]
L1Cache[L1 — Edge PoP RAM Cache]
L2Cache[L2 — Regional Tier Cache]
OriginShield[Origin Shield]
end
subgraph Origin["Origin Storage"]
B2[Backblaze B2]
R2[Cloudflare R2]
Drive[Google Drive API]
end
subgraph TLS["TLS Termination"]
ACME["Let's Encrypt ACME"]
TLS13[TLS 1.3 + HTTP/3 QUIC]
end
Visitor -- "1. DNS Query" --> DNS
DNS -- "2. Anycast → Nearest PoP" --> Edge
Edge -- "3. DDoS + WAF Check" --> WAF
WAF --> DDoS
Edge -- "4. TLS Termination" --> TLS13
Edge -- "5. Check L1 Cache" --> L1Cache
L1Cache -- "6. MISS → Regional Tier" --> L2Cache
L2Cache -- "7. MISS → Origin Shield" --> OriginShield
OriginShield -- "8. Fetch from Origin" --> B2
OriginShield -- "8. Fetch from Origin" --> R2
OriginShield -- "8. Proxy from Origin" --> Drive
CDN Request Lifecycle (Visualized)
sequenceDiagram
participant Visitor
participant DNS as Anycast DNS
participant Edge as Nearest Edge PoP
participant WAF as WAF + DDoS Shield
participant Cache as Multi-Tier Cache
participant Worker as CF Worker (V8 Isolate)
participant Origin as Origin Storage (B2/R2/Drive)
Visitor->>DNS: Resolve my-site.aryl.app
DNS-->>Visitor: Anycast IP → nearest PoP (< 5ms)
Visitor->>Edge: GET /assets/app.js (HTTP/3 QUIC)
Edge->>WAF: Inspect request (Rules, Bot Score, IP Reputation)
alt Malicious / DDoS
WAF-->>Visitor: 403 Blocked (Challenge / CAPTCHA)
else Clean Traffic
WAF-->>Edge: Pass
end
Edge->>Cache: L1 PoP RAM Cache lookup
alt L1 HIT
Cache-->>Visitor: 200 OK (< 1ms TTFB)
else L1 MISS
Cache->>Cache: L2 Regional Tier lookup
alt L2 HIT
Cache-->>Visitor: 200 OK (< 5ms TTFB)
else L2 MISS
Cache->>Worker: Route to V8 Isolate (0ms cold start)
Worker->>Origin: Fetch asset (S3-compatible / Drive API)
Origin-->>Worker: Byte stream
Worker->>Worker: Set Cache-Control, Content-Type, ETag
Worker->>Cache: Store in L1 + L2 (non-blocking)
Worker-->>Visitor: 200 OK (Streamed)
end
end
Key Technical Decisions
| Decision | Rationale |
|---|---|
| Immutable deployment assets | Hashed filenames (e.g. app.a1b2c3.js) enable infinite Cache-Control: max-age — 100% cache hit rate after first request |
| HTML gets 1h TTL, static gets 24h | HTML pages may change between deploys; static assets are immutable |
| Anycast BGP routing | Every PoP announces the same IP — visitors are automatically routed to the nearest datacenter by the internet itself |
| HTTP/3 QUIC | Eliminates TCP head-of-line blocking; 0-RTT connection resume for repeat visitors |
| Unmetered DDoS | Cloudflare absorbs 100+ Tbps attacks at the edge — zero bandwidth surcharges |
PIPELINE 4
🔒 Zero Trust Security Pipeline
Comprehensive security suite including unmetered DDoS protection, WAF rules, and identity-aware access gates. Every request passes through multiple trust verification layers — no request is implicitly trusted.
Architecture Overview
flowchart TB
Request((Incoming Request))
subgraph EdgeSecurity["Edge Security Layer"]
TLS[TLS 1.3 Termination]
DDoS[DDoS Mitigation — 100+ Tbps]
WAF[WAF Rules Engine]
BotMgmt[Bot Management — ML Scoring]
end
subgraph Auth["Authentication & Authorization"]
JWT[JWT Session Verification]
OAuth[OAuth2 Provider Validation]
CORS[CORS Origin Allowlist]
RateLimit[Rate Limiting — Sliding Window]
end
subgraph DataSecurity["Data Security"]
PasswordGate[Password Gate — bcrypt Hashed]
EmailGate[Email Gate — Lead Capture]
Expiry[Link Expiration — Unix Timestamp]
Visibility[Visibility Control — Public / Private]
end
subgraph Isolation["Domain Isolation"]
AppDomain["*.aryl.app — Site Deployments"]
CloudDomain["*.aryl.cloud — Pages"]
APIDomain["api.aryllabs.com — API Only"]
end
Request --> TLS
TLS --> DDoS
DDoS --> WAF
WAF --> BotMgmt
BotMgmt --> JWT
JWT --> OAuth
OAuth --> CORS
CORS --> RateLimit
RateLimit -- "Page Route" --> PasswordGate
PasswordGate --> EmailGate
EmailGate --> Expiry
Expiry --> Visibility
RateLimit -- "Domain Isolation" --> Isolation
Zero Trust Request Lifecycle (Visualized)
Every single request passes through multiple trust verification layers:
sequenceDiagram
participant Client
participant Edge as CF Edge (TLS + DDoS)
participant WAF as WAF + Bot Detection
participant Worker as CF Worker
participant Auth as Auth Engine
participant Gate as Access Gates
participant Resource as Protected Resource
Client->>Edge: HTTPS Request (TLS 1.3 Handshake)
Edge->>Edge: DDoS fingerprint check (L3/4/7)
Edge->>WAF: Apply managed rulesets + custom rules
WAF->>WAF: Bot score via ML model
alt Bot Score < 30 (Likely Bot)
WAF-->>Client: 403 + JS Challenge
else Clean Request
WAF-->>Worker: Pass to V8 Isolate
end
Worker->>Worker: Validate Origin header against CORS allowlist
alt Origin not in allowlist
Worker-->>Client: 403 CORS Rejected
end
Worker->>Auth: Check rate limit (sliding window per IP)
alt Rate exceeded
Auth-->>Client: 429 Too Many Requests
end
alt API Route (/api/*)
Worker->>Auth: Extract + Verify JWT from cookie
Auth->>Auth: Validate signature, expiry, claims
alt Invalid JWT
Auth-->>Client: 401 Unauthorized (Clear cookie)
end
end
alt Share Route (*.aryl.cloud)
Worker->>Gate: Check link expiration (expires_at vs NOW)
alt Link Expired
Gate-->>Client: 410 Gone
end
Worker->>Gate: Check password requirement
alt Password Required
Gate->>Gate: Validate share_pwd cookie
alt No Valid Cookie
Gate-->>Client: 200 Password Gate HTML
end
end
Worker->>Gate: Check email requirement
alt Email Required
Gate->>Gate: Check share_email cookie
alt No Cookie
Gate-->>Client: 200 Email Capture Gate HTML
end
end
end
Worker->>Resource: Fetch protected resource
Resource-->>Worker: Content
Worker-->>Client: 200 OK
Key Technical Decisions
| Decision | Rationale |
|---|---|
| Domain isolation (.aryl.app vs .aryl.cloud) | Prevents XSS cookie theft — malicious uploaded HTML on .aryl.cloud cannot access .aryl.app cookies |
| Email verification via DNS-over-HTTPS | MX record validation + disposable email blocklist prevents fake lead capture submissions |
| Short-lived cookies for share access | share_email and share_pwd cookies are session-scoped — no persistent access beyond the browser session |
| Guest link auto-expiration | Guest uploads expire at NOW() + 6 hours enforced at the edge — prevents indefinite storage waste |
| CORS origin allowlist | API only accepts requests from known origins; worker-level enforcement before any DB queries |
PIPELINE 5
⚡ Performance Engine & Edge Compute
High-performance V8 Isolate runtime optimized for concurrency, streaming, and non-blocking background tasks.
Architecture Overview
flowchart TB
Request((Incoming Request))
subgraph V8["V8 Isolate Runtime"]
Isolate[V8 Isolate — 0ms Cold Start]
StreamAPI[Streams API — Chunked Transfer]
WaitUntil["ctx.waitUntil() — Async Side-effects"]
end
subgraph Caching["Intelligent Cache Strategy"]
EdgeCache[CF Edge Cache API]
B2Cache["B2 Cache Layer (cache.match)"]
MemoryCollapse[In-Memory Request Collapsing]
end
subgraph Optimization["Response Optimization"]
MIME[MIME-Type Intelligence]
Headers[Header Injection Engine]
Compression[Brotli / Gzip Auto-Negotiation]
end
subgraph Analytics["Non-Blocking Analytics"]
AE[CF Analytics Engine]
ViewTrack[View Tracking — Fire-and-Forget]
DurationTrack[Duration Tracking — JS Beacon]
end
subgraph Scheduled["Scheduled Maintenance"]
CASGC[CAS Garbage Collection]
GuestCleanup[Guest Link Cleanup]
PackedGC[Packed Storage Compaction]
end
Request --> Isolate
Isolate -- "Concurrent Safe" --> MemoryCollapse
Isolate --> StreamAPI
Isolate --> EdgeCache
EdgeCache -- "MISS" --> B2Cache
B2Cache -- "fetch + cache.put" --> EdgeCache
StreamAPI --> MIME
MIME --> Headers
Headers --> Compression
Isolate -.-> WaitUntil
WaitUntil -.-> AE
WaitUntil -.-> ViewTrack
WaitUntil -.-> DurationTrack
Isolate -.-> Scheduled
Edge Compute Request Lifecycle (Visualized)
How performance is maximized at every stage of request processing:
sequenceDiagram
participant Client
participant Isolate as V8 Isolate (0ms boot)
participant Memory as In-Memory Collapse Map
participant EdgeCache as Edge Cache API
participant B2Cache as B2 Cache Layer
participant Origin as Origin (B2 / Drive)
participant AE as Analytics Engine
Client->>Isolate: Incoming Request (0ms cold start)
Isolate->>EdgeCache: cache.match(request URL)
alt Edge Cache HIT
EdgeCache-->>Client: 200 OK (instant, 0 DB queries, 0 KV reads)
else Edge Cache MISS
Isolate->>Isolate: Turso edge query (sub-ms latency)
Isolate->>B2Cache: cache.match(b2-cache-url)
alt B2 Cache HIT
B2Cache-->>Isolate: Cached B2 Response
else B2 Cache MISS
Isolate->>Memory: pendingSiteRequests.has(key)?
alt Concurrent Request In-Flight
Memory-->>Isolate: Reuse existing Promise (0 extra origin calls)
else First Request
Memory->>Memory: pendingSiteRequests.set(key, promise)
Isolate->>Origin: Fetch (Streams API — chunked)
Origin-->>Isolate: ReadableStream
Memory->>Memory: pendingSiteRequests.delete(key)
end
Isolate->>Isolate: MIME-type detection (extension + magic bytes)
Isolate->>Isolate: Inject Cache-Control, ETag, Content-Type
Isolate->>Isolate: Brotli / Gzip auto-negotiation
Isolate->>EdgeCache: ctx.waitUntil(cache.put(...))
Isolate->>B2Cache: ctx.waitUntil(cache.put(...))
end
Isolate-->>Client: 200 OK (Streamed Response)
end
Isolate-)AE: ctx.waitUntil(trackView(...)) — fire-and-forget
Key Technical Decisions
| Decision | Rationale |
|---|---|
| V8 Isolates (not containers) | 0ms cold start, ~5ms execution — no Docker/Lambda boot penalty. Each request runs in an isolated V8 context |
| Early edge cache fast-path | cache.match() runs BEFORE any DB queries or route matching — Cache HITs return instantly with zero compute |
| In-memory request collapsing | pendingSiteRequests Map prevents thundering herd — 1000 concurrent requests for the same asset result in 1 origin fetch |
| ctx.waitUntil() for side-effects | Analytics, cache writes, and logging happen AFTER the response is sent — never adding latency to the user-facing response |
| Analytics Engine over SQL counters | Writing to AE is non-blocking and scales to millions of events/sec — SQL UPDATE +1 would cause lock contention |
| CAS garbage collection (CRON) | Runs every 20h, comparing all stored CAS objects against active deployment manifests, deleting orphans to minimize storage costs |
| Two-tier B2 caching | B2 objects are cached at the edge (caches.default) with 24h TTL for static / 1h for HTML — eliminates repeated B2 API calls |
Experience next-level hosting
Join thousands of innovators who have already switched to ArylLabs for their deployment needs.