📄 README.md

AssppWeb

A web-based tool for acquiring and installing iOS apps outside the App Store. Authenticate with your Apple ID, search for apps, acquire licenses, and install IPAs directly to your device.

Zero-Trust Architecture

AssppWeb uses a zero-trust design where the server never sees your Apple credentials. All Apple API communication happens directly in your browser via WebAssembly (libcurl.js with Mbed TLS 1.3). The server only acts as a blind TCP relay (Wisp protocol) and handles IPA compilation from public CDN downloads.

⚠️ Important Security Notice: There are no official Asspp Web instances. Use any public instance at your own risk. While the backend cannot read your encrypted traffic, a malicious host could serve a modified frontend to capture your credentials before encryption. Therefore, do not blindly trust public instances. We strongly recommend self-hosting your own instance or using one provided by a trusted partner. Always verify the SSL certificate and ensure you are connecting to a secure, authentic endpoint.

恳请所有转发项目的博主对自己的受众进行网络安全技术科普。要有哪个不拎清的大头儿子搞出事情来都够我们喝一壶的。

Quick Start

Deploy to Cloudflare

This uses Cloudflare Workers + Containers with the published image ghcr.io/lakr233/assppweb:latest.

Requirements:

Cloudflare Workers Paid plan (Containers are not available on Free).
Deploy/build token with:

Workers Scripts Edit

Containers Edit

Cloudchamber Edit

If your build log fails at Deploy a container application with Unauthorized, your build token is missing required Containers/Cloudchamber permissions.

Deploy to Railway

Click to show Railway deployment instructions

Go to railway.com/new/image → enter ghcr.io/lakr233/assppweb:latest
In service Settings, set Healthcheck Path to /api/settings and deploy
Right-click the service → Attach volume → mount path: /data
In Variables, set DATA_DIR = /data and deploy
In Settings → Networking, generate a public domain or add a custom domain

Notes

The free trial works but has limitations (volume expiry, network restrictions). Hobby plan ($5/month) or above is recommended for reliable use.
Enable Serverless in service settings to scale down to zero during idle periods
Railway auto-updates :latest images from GHCR — new releases will be deployed automatically within a few hours

⚠️ Custom domain with Cloudflare: Railway's Cloudflare integration creates DNS records with Proxy enabled (orange cloud) by default. After authorizing, go to Cloudflare DNS settings and switch the CNAME record to DNS only (gray cloud) — Railway handles TLS automatically. If you keep Cloudflare Proxy on, you must set SSL/TLS mode to Full (not Flexible or Full Strict), otherwise you'll get an infinite redirect loop. See Railway docs.

Self-Host with Docker Compose

Click to show manual Docker Compose setup instructions

Setup Docker Compose

curl -O https://raw.githubusercontent.com/Lakr233/AssppWeb/main/compose.yml
docker compose up -d

Environment Variables

Variable	Default	Description
`PORT`	`8080`	Server listen port
`DATA_DIR`	`./data`	Directory for storing compiled IPAs
`PUBLIC_BASE_URL`	(auto-detect)	Public URL for generating install manifests (e.g. `https://asspp.example.com`)
`UNSAFE_DANGEROUSLY_DISABLE_HTTPS_REDIRECT`	`false`	Disable HTTPS redirect (see warning below)
`AUTO_CLEANUP_DAYS`	`0`	Automatically delete cached IPA files older than specified days (0 to disable)
`AUTO_CLEANUP_MAX_MB`	`0`	Automatically delete oldest cached IPA files when size exceeds this MB limit (0 to disable)
`MAX_DOWNLOAD_MB`	`0`	Reject downloads exceeding this size in MB to prevent out-of-memory errors (0 to disable)
`DOWNLOAD_THREADS`	`8`	Number of parallel threads for IPA downloads (1–32)
`ACCESS_PASSWORD`	(none)	Require a password to access the web UI and API (empty to disable)

Reverse Proxy (Required for Install Apps on iOS)

iOS requires HTTPS for itms-services:// install links. You must put AssppWeb behind a reverse proxy with a valid TLS certificate.

⚠️ Redirect loop (ERR_TOO_MANY_REDIRECTS)? Some reverse proxies (e.g. NAS built-in proxies) always send X-Forwarded-Proto: http even when the client connected via HTTPS, causing an infinite redirect loop. If you cannot configure your proxy to send the correct header, set UNSAFE_DANGEROUSLY_DISABLE_HTTPS_REDIRECT=true as a last resort. This disables the HTTP→HTTPS redirect — you must ensure your proxy enforces HTTPS externally.

The following is an example Caddyfile configuration:

asspp.example.com { reverse_proxy 127.0.0.1:8080 }

⚠️ Make Sure WebSocket Works

AssppWeb relies on the Wisp protocol over WebSocket (/wisp/) for its zero-trust architecture. Ensure your reverse proxy or CDN (e.g., Nginx, Cloudflare) is configured to allow WebSocket connections, otherwise the app will fail to communicate with Apple servers.

Security Recommendations

DDoS Protection

IPA files can be hundreds of megabytes. If your instance is publicly accessible, put it behind a CDN like Cloudflare to absorb bandwidth and prevent abuse.

License

MIT License. See LICENSE for details.

🥰 Acknowledgments

For projects that was stolen and used heavily:

For friends who helped with testing and feedback: