Open source · GPL-3.0 · one binary

Store a hundred versions. Pay for one.

Every build, dump, and firmware image you ship is mostly the one before it — and your bucket bills you full price for every copy. DeltaGlider Proxy is a drop-in S3 proxy that stores each new version as a tiny delta against the last full copy. Same S3 API, same buckets, zero client changes.

And since every byte already flows through it, it's also your storage control plane: per-user IAM and SSO, replication, lifecycle, encryption at rest — on any S3-compatible backend, including the cheap ones.

Start free trial → 90s Video GitHub

Built by Beshu Tech — the ReadonlyREST team, since 2017. Our own 1.71 TB build catalog is migrating through it in public, bugs and all.

See video

Ninety seconds, end to end

A real screen recording — not a mockup. Spin up an encrypted, compression-enabled backend, route a bucket to it, set up a user, then watch a versioned upload land at 96.7% smaller on disk, measured live.

Drawn to scale

What ten releases do to a bucket

The same ten uploads of a 91 MB build artifact, stored two ways. The bars are proportional — we had to give the deltas a two-pixel floor so you could see them at all.

The gap widens with every release. By v100 it's 9.1 GB against ~106 MB — 8,600% less. Our own release catalog landed at 8,850% smaller on a real release line.

The mechanism, in one sentence: each upload is stored as a binary diff against a full reference copy kept beside it, and every read rebuilds the exact original — behind the same S3 API your tools already speak.

Drop-in

Adopting it is one line of config

It speaks the S3 protocol your tools already speak — SigV4 signing, multipart uploads, range reads, presigned URLs. Repoint the endpoint; the SDKs, CI scripts, and backup jobs never notice.

app/config.yaml

 s3:
-  endpoint: https://s3.eu-central-1.amazonaws.com
+  endpoint: https://dgp.internal:9000
   access_key_id: ${AWS_ACCESS_KEY_ID}      # unchanged
   secret_access_key: ${AWS_SECRET_KEY}     # unchanged

Reads are verified, not assumed. Every delta read rebuilds the original and checks it against the SHA-256 recorded at upload before serving it.
One binary carries everything. Proxy, web UI, IAM, jobs, metrics — run it with Docker, a bare binary, or Helm. No sidecar zoo.
No format hostage-taking. Stored deltas are standard xdelta3 files next to a plain reference object — the stock CLI can rebuild every version without the proxy running.

The other half

It's also the control plane your cheap bucket is missing

The compression pays for the move; this is why you stay. Point it at Hetzner, Wasabi, MinIO, or AWS and the governance you'd normally rent from a hyperscaler rides along in the same binary.

Per-user auth & access control

IAM with fine-grained ABAC permissions, plus OAuth/OIDC SSO with group mapping — an access layer your budget object store doesn’t have.

Cross-cloud replication

Replicate buckets between providers — event-driven or scheduled, with pause/resume. Migrate or run multi-cloud, without lock-in.

Encryption at rest

AES-256-GCM before objects hit the bucket. Your key stays in your runtime; the backend only ever sees ciphertext.

Jobs, events & audit

Replication, lifecycle, migrations, and re-encryption run as resumable jobs with run history. Webhook or Slack on every event; an audit trail on every admin action.

None of it is a separate product: these screens ship inside the binary you download. Click to inspect.

IAM user management screen in the embedded admin UI — IAM users with ABAC permissions and group mapping.

Jobs screen showing replication and lifecycle rules — One Jobs screen: replication, lifecycle, migrations.

Storage analytics dashboard with per-bucket savings — Per-bucket savings, measured live — not estimated.

Due diligence

The questions you'd ask anyway

Answered with links, so you can check instead of believe.

Will it corrupt my artifacts?

Every delta read is rebuilt and SHA-256-checked against the hash recorded at upload — and 1,100+ unit tests plus an integration matrix against real MinIO gate every merge.

Read the source — it's GPL-3.0 →

What breaks in production?

Here's what broke in ours: we pushed our own 1.71 TB release catalog through it and published every bug we hit — upstream TMPDIR, proxy timeouts, EBS exhaustion — with the fixes.

Read the migration log →

Will bugs get fixed — or hidden?

A five-investigator correctness audit surfaced 10 bugs; all fixed, each pinned by a regression test, written up bug-by-bug where you can read them.

The bug-by-bug CHANGELOG →

Who answers when it breaks at 2 a.m.?

The people whose names are in git log. No outsourced first line, no chatbot — your mail lands with the engineers who wrote the code.

contact@beshu.tech →

Track record

New product. Proven team.

DeltaGlider is new — so these quotes are about ReadonlyREST, Beshu Tech's flagship since 2017. Same engineers, same standards. The track record you'd be buying into:

About ReadonlyREST

Our largest shared cluster [...] consolidates about 17 different use cases on the same hardware, lowering the total cost.

Ulrich Schwickerath Physicist, IT department, CERN

About ReadonlyREST

ReadonlyREST Enterprise is one of the few software I use or used professionally, and I would recommend it 200%.

Pierre Chesneau Solution Architect, Top French network operator

About ReadonlyREST

I baked ReadonlyREST Free into SEC455 SIEM Design and Implementation. I'm openly recommending it to students and highlighting its features.

Justin Henderson GSE, SANS Instructor, CEO, H/A Security Solutions

About ReadonlyREST

ReadonlyREST was quick and easy to implement, that gave us more time to spend on other important tasks.

Frederic Hosmann Responsible of Platforms and Automation, Creos S.A.

Honest positioning

Will it work on your data?

Your data looks like	Expected	Recommend
CI artifacts, build catalogs, plugin marketplaces	1,000%–10,000% smaller	✅ Yes
DB dumps, daily backups, ML model variants	500%–5,000% smaller	✅ Yes
Container layers, Maven / PyPI mirrors	1,000%–5,000% smaller	✅ Yes
Random user uploads, encrypted blobs, raw video	0%–100% smaller	❌ Use plain S3
Append-only logs, streaming telemetry	0% smaller	❌ Use plain S3

Self-disqualify or self-qualify here. We'd rather you find out now than after deployment.

Then put your real numbers into the savings calculator — it answers in 30 seconds. There's also a longer pitch for platform teams and one for regulated buyers.

Get started

Touch it in 60 seconds

$ docker run --rm -it -p 9000:9000 -v dgp-data:/data \
    -e DGP_AUTHENTICATION=none \
    beshultd/deltaglider_proxy

Open http://localhost:9000/_/ for the browser, or point any S3 SDK at http://localhost:9000. Open access is for a localhost first look — the second tutorial locks it down.

Full tutorial 30-day support trial GitHub