BLOG

As our team grew and our library of internal PHP packages expanded, we faced a common dilemma: how do we distribute these packages securely to our projects without exposing them to the world? We took a deep dive into the available options, evaluating everything from paid services to DIY serverless solutions.

Here is a summary of our research and the solutions we implemented.

1. The Standard: Satis

Our journey began with the standard open-source solution: Satis. It's essentially a static site generator for Composer repositories. You feed it a config file, it scans your repositories, and generates a static `packages.json`.

We wrote a detailed guide on getting this up and running: Setting up and securing a private Composer repository.

Pros: Free, open-source, standard.
Cons: Basic security. It relies on web server directory encryption, making granular access control difficult.

2. Satis with Dynamic Authentication

To overcome the security limitations of plain Satis, we engineered a solution using NGINX `auth_request` and a Laravel backend. This allowed us to validate license keys dynamically against our user database before serving package archives.

You can read about the implementation details here: Private Satis authentication backed by Laravel.

Pros: Dynamic security, integrates with existing user base.
Cons: Complex infrastructure. You still have to manage a server (VPS), NGINX configuration, and the Satis build process.

3. Going Serverless: Cloudflare Workers + R2

Tired of managing servers, we looked to the edge. We built a custom solution using Cloudflare Workers to serve the `packages.json` dynamically and R2 Storage to host the zip artifacts. This removed the need for a VPS entirely.

Check out the code and architecture involved: Serving private Composer packages with serverless Cloudflare Workers and R2 storage.

Pros: No servers to manage, extremely low cost.
Cons: "Rolling your own" meant maintaining custom code for serving files and handling authentication.

4. The Winner: PACKAGE.broker

Finally, we discovered PACKAGE.broker. It combines the benefits of the serverless approach with the polish of a dedicated product. It deploys to Cloudflare Workers but provides enterprise-grade security features like token management and encrypted credential storage out of the box.

We wrote a setup guide for it here: Self-hosted private packages server on Cloudflare with PACKAGE.broker.

Conclusion: For us, PACKAGE.broker hit the sweet spot. It offers the low maintenance and cost of a serverless architecture without requiring us to maintain the repository software itself.