-
Notifications
You must be signed in to change notification settings - Fork 32
Configuration
Learn how to configure your instance of certstream-server-go. To get an idea of all the possible configuration options, please also see the sample.config.json. Keep in mind that the sample config in the master branch might already contain features that are not bundled in a release yet.
The webserver config defines how the web server for the certstream service is operating. You can e.g. configure the interface/port the server is running on or you can define a whitelist to allow only certain network devices to connect to the tool.
| yaml key | type | Description | Example |
|---|---|---|---|
listen_addr |
string | Address for the websocket server to listen on | 0.0.0.0 |
listen_port |
int | Port for the websocket server to listen on | 80 |
cert_path |
string | Path to TLS certificate to serve https | /path/to/cert.crt |
cert_key_path |
string | Path to TLS certificate key to serve https | /path/to/cert.key |
real_ip |
bool | Port for the websocket server to listen on. Only use behind reverse proxy! | true |
whitelist |
[]string | Whitelist of IPs and CIDR ranges |
1.2.3.4, 127.0.0.0/8
|
full_url |
string | Websocket endpoint for certificates with all details | /full-stream |
lite_url |
string | Websocket endpoint for certificates with all reduced details (no as_der and chain fields) |
/ |
domains_only_url |
string | Websocket endpoint for domains of the processed certificates only | /domains-only |
The prometheus settings configure everything related to the prometheus metrics endpoint that is used to monitor the certstream server.
| yaml key | type | Description | Example |
|---|---|---|---|
enabled |
bool | Should prometheus metrics be exported? | true |
listen_addr |
string | Address for the websocket server to listen on | 0.0.0.0 |
listen_port |
int | Port for the websocket server to listen on | 80 |
cert_path |
string | Path to TLS certificate to serve https | /path/to/cert.crt |
cert_key_path |
string | Path to TLS certificate key to serve https | /path/to/cert.key |
real_ip |
bool | Port for the websocket server to listen on. Only use behind reverse proxy! | true |
whitelist |
[]string | Whitelist of IPs and CIDR ranges |
1.2.3.4, 127.0.0.0/8
|
metrics_url |
string | The URL at which the metrics are available | /metrics |
expose_system_metrics |
bool | Should Go system metrics be exposed as well? | false |
The general settings are used to configure various options such as the buffer sizes in order to make certstream-server-go perform better on slower hardware. Slow clients can lead to queue buildup, which leads to RAM consumption, which could lead to out-of-memory errors, if you run certstream-server-go on a small machine. See also this comment.
| yaml key | type | Description | Example |
|---|---|---|---|
disable_default_logs |
bool | Option to disable all logs provided via the Google v3 loglist. | true |
additional_logs |
[]object | List of additional CT logs to monitor. | See sample config |
buffer_sizes |
object | Configuration to overwrite internally used buffer sizes. In case your client is too slow, you'll receive "buffer is full" logs. The best solution for this is either to use a faster client or to upgrade to a stream processing tool like Kafka. | See sample config |
buffer_sizes.websocket |
int | Size of the buffer (# of certificates) used for each individual websocket connection. | 300 |
buffer_sizes.ctlog |
int | Size of the buffer (# of certificates) used for each individual CT Log connection. | 1000 |
buffer_sizes.broadcastmanager |
int | Size of the internal queue (# of certificates) of the broadcast manager. | 10000 |
drop_old_logs |
bool | Drop old logs, no longer advertised via the Google v3 loglist. | true |
recovery |
object | If enabled, the tool stores a json file that contains all the ct logs and the index of the certificate where the tool was last stopped. That way you can continue scanning from the last processed certificate without losing certificates during the downtime. | See sample config |
recovery.enabled |
bool | Option to enable the recovery feature. | true |
recovery.ct_index_file |
string | The file to store the index of the last processed certificate per each ct log. | ./ct_index.json |
Check out the sample configuration.