routing-cafe
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 76 additions & 14 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 76 additions & 14 deletions
diff --git a/‎Dockerfile‎
Lines changed: 41 additions & 3 deletions b/‎Dockerfile‎
Lines changed: 41 additions & 3 deletions
diff --git a/‎schema.sql‎
Lines changed: 10 additions & 1 deletion b/‎schema.sql‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎ui/.gitignore‎
Lines changed: 41 additions & 0 deletions b/‎ui/.gitignore‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎ui/README.md‎
Lines changed: 128 additions & 0 deletions b/‎ui/README.md‎
Lines changed: 128 additions & 0 deletions
@@ -1,4 +1,4 @@
-name: Build and Push Docker Image
+name: Build and Push Docker Images
 
 on:
   push:
@@ -8,15 +8,12 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}/ctmon-ingest
+  BACKEND_IMAGE_NAME: ${{ github.repository }}/ctmon-ingest
+  UI_IMAGE_NAME: ${{ github.repository }}/ctmon-ui
 
 jobs:
-  build-and-push:
+  test:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -26,32 +23,97 @@ jobs:
       with:
         go-version: '1.23'
 
-    - name: Run tests
+    - name: Run Go tests
       run: go test -v ./...
 
+    - name: Set up Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+        cache: 'npm'
+        cache-dependency-path: ui/package-lock.json
+
+    - name: Install UI dependencies
+      run: cd ui && npm ci
+
+    - name: Run UI linting
+      run: cd ui && npm run lint
+
+    - name: Build UI
+      run: cd ui && npm run build
+
+  build-and-push-backend:
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
     - name: Log in to Container Registry
       uses: docker/login-action@v3
       with:
         registry: ${{ env.REGISTRY }}
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Extract metadata
-      id: meta
+    - name: Extract backend metadata
+      id: meta-backend
       uses: docker/metadata-action@v5
       with:
-        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        images: ${{ env.REGISTRY }}/${{ env.BACKEND_IMAGE_NAME }}
         tags: |
           type=ref,event=branch
           type=ref,event=pr
           type=sha
           type=raw,value=latest,enable={{is_default_branch}}
 
-    - name: Build and push Docker image
+    - name: Build and push backend Docker image
       uses: docker/build-push-action@v5
       with:
         context: .
         push: true
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
+        tags: ${{ steps.meta-backend.outputs.tags }}
+        labels: ${{ steps.meta-backend.outputs.labels }}
         target: ctmon_ingest
+
+  build-and-push-ui:
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Log in to Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract UI metadata
+      id: meta-ui
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.UI_IMAGE_NAME }}
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=sha
+          type=raw,value=latest,enable={{is_default_branch}}
+
+    - name: Build and push UI Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        tags: ${{ steps.meta-ui.outputs.tags }}
+        labels: ${{ steps.meta-ui.outputs.labels }}
+        target: ui
@@ -1,4 +1,4 @@
-# Build stage
+# Go backend build stage
 FROM golang:1.23-alpine AS builder
 
 WORKDIR /app
@@ -18,7 +18,7 @@ COPY . .
 # Build the binary
 RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o ctmon-ingest ./cmd/ctmon-ingest
 
-# Runtime stage
+# Go backend runtime stage
 FROM alpine:latest AS ctmon_ingest
 
 # Install ca-certificates for HTTPS requests
@@ -33,4 +33,42 @@ COPY --from=builder /app/ctmon-ingest .
 EXPOSE 8080
 
 # Run the binary
-CMD ["./ctmon-ingest"]
+CMD ["./ctmon-ingest"]
+
+# UI build stage
+FROM node:20-alpine AS ui-builder
+
+WORKDIR /app
+
+# Copy package files
+COPY ui/package*.json ./
+
+# Install dependencies
+RUN npm ci
+
+# Copy UI source code
+COPY ui/ ./
+
+# Build the application
+RUN npm run build
+
+# UI runtime stage
+FROM node:20-alpine AS ui
+
+WORKDIR /app
+
+# Copy built application
+COPY --from=ui-builder /app/.next/standalone ./
+COPY --from=ui-builder /app/.next/static ./.next/static
+COPY --from=ui-builder /app/public ./public
+
+# Expose port
+EXPOSE 3000
+
+# Set environment variables
+ENV NODE_ENV=production
+ENV HOSTNAME=0.0.0.0
+ENV PORT=3000
+
+# Run the application
+CMD ["node", "server.js"]
@@ -43,6 +43,14 @@ CREATE TABLE ct_log_entries
     -- Other Key Parsed Certificate Fields
     serial_number String COMMENT 'Certificate serial number (hex string)',
     subject_alternative_names Array(String) COMMENT 'Array of Subject Alternative Names (DNS, IP, etc.)',
+    name_suffixes Array(String) MATERIALIZED arrayDistinct(
+        arrayFlatten(
+            arrayMap(x -> arrayMap(
+                i -> substring(x, i), arrayFilter(i -> i > 0, arrayMap(pos -> position(x, '.', pos), range(1, length(x) + 1)))
+            ),
+            arrayConcat(subject_alternative_names, [subject_common_name])
+        ))
+    ) COMMENT 'All domain suffixes from subject_alternative_names and subject_common_name (e.g., .example.com, .com)',
     signature_algorithm LowCardinality(String) COMMENT 'Signature algorithm of the certificate',
     subject_public_key_algorithm LowCardinality(String) COMMENT 'Algorithm of the subject public key',
     subject_public_key_length UInt16 COMMENT 'Length of the subject public key (e.g., 2048, 256)',
@@ -85,7 +93,8 @@ CREATE TABLE ct_log_entries
     INDEX idx_sans subject_alternative_names TYPE bloom_filter GRANULARITY 4, -- For has(subject_alternative_names, 'value')
     INDEX idx_serial serial_number TYPE bloom_filter GRANULARITY 1,
     INDEX idx_not_after not_after TYPE minmax,
-    INDEX idx_entry_timestamp entry_timestamp TYPE minmax
+    INDEX idx_entry_timestamp entry_timestamp TYPE minmax,
+    INDEX idx_name_suffixes name_suffixes TYPE bloom_filter GRANULARITY 4 -- For has(name_suffixes, 'value')
 )
 ENGINE = ReplacingMergeTree()
 PARTITION BY toYYYYMM(not_after) -- Partition by month of certificate expiry
 
@@ -0,0 +1,41 @@
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# dependencies
+/node_modules
+/.pnp
+.pnp.*
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/versions
+
+# testing
+/coverage
+
+# next.js
+/.next/
+/out/
+
+# production
+/build
+
+# misc
+.DS_Store
+*.pem
+
+# debug
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+.pnpm-debug.log*
+
+# env files (can opt-in for committing if needed)
+.env*
+
+# vercel
+.vercel
+
+# typescript
+*.tsbuildinfo
+next-env.d.ts
@@ -0,0 +1,128 @@
+# Certificate Transparency Monitor
+
+A web application for searching and monitoring SSL/TLS certificates from Certificate Transparency logs, similar to crt.sh. Built with Next.js and ClickHouse.
+
+## Features
+
+- **Multi-type Search**: Search certificates by domain name, common name, serial number, SHA-256 fingerprint, or issuer
+- **Detailed Certificate View**: View complete certificate information including subject, issuer, validity periods, and extensions
+- **Subject Alternative Names**: Display all SAN entries for certificates
+- **Certificate Transparency Logs**: Track which CT log each certificate was found in
+- **Responsive Design**: Works on desktop and mobile devices with dark mode support
+
+## Tech Stack
+
+- **Frontend**: Next.js 15 with React 19
+- **Styling**: Tailwind CSS 4
+- **Database**: ClickHouse
+- **Language**: TypeScript
+
+## Prerequisites
+
+- Node.js 18+ 
+- ClickHouse database with CT log data
+- Environment variables for ClickHouse connection
+
+## Environment Variables
+
+Create a `.env.local` file in the `ui/` directory with the following variables:
+
+```bash
+CLICKHOUSE_HOST=localhost
+CLICKHOUSE_PORT=8123
+CLICKHOUSE_USER=default
+CLICKHOUSE_PASSWORD=your_password
+CLICKHOUSE_DATABASE=ct_logs
+```
+
+## Installation
+
+1. Install dependencies:
+```bash
+npm install
+```
+
+2. Run the development server:
+```bash
+npm run dev
+```
+
+3. Open [http://localhost:3000](http://localhost:3000) in your browser
+
+## Database Schema
+
+The application expects a ClickHouse table named `ct_log_entries` with the schema defined in `/schema.sql`. Key fields include:
+
+- Certificate identifiers (SHA-256, serial number)
+- Subject and issuer information
+- Validity periods
+- Subject Alternative Names
+- Certificate extensions and key usage
+- CT log metadata
+
+## API Endpoints
+
+### Get Certificate Details
+```
+GET /api/certificate/{sha256}
+```
+
+Returns complete certificate information for a given SHA-256 fingerprint.
+
+## Search Types
+
+1. **Domain/SAN**: Search by domain name or Subject Alternative Name
+   - Example: `example.com`, `*.example.com`
+
+2. **Common Name**: Search by certificate Common Name field
+   - Example: `www.example.com`
+
+3. **Serial Number**: Search by certificate serial number (hex format)
+   - Example: `03f7b3b2a8c9d1e2f4a5b6c7d8e9f0a1`
+
+4. **SHA-256**: Search by certificate SHA-256 fingerprint
+   - Example: `a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456`
+
+5. **Issuer**: Search by certificate issuer Common Name
+   - Example: `Let's Encrypt Authority X3`
+
+## Project Structure
+
+```
+ui/
+├── app/
+│   ├── api/
+│   │   ├── search/route.ts          # Search API endpoint
+│   │   └── certificate/[sha256]/route.ts  # Certificate detail API
+│   ├── certificate/[sha256]/page.tsx # Certificate detail page
+│   ├── layout.tsx                   # Root layout
+│   ├── page.tsx                     # Main search page
+│   └── globals.css                  # Global styles
+├── components/
+│   ├── search-form.tsx              # Search interface
+│   └── certificate-list.tsx         # Certificate results list
+├── lib/
+│   └── clickhouse.ts                # ClickHouse client configuration
+├── types/
+│   └── certificate.ts               # TypeScript interfaces
+└── public/                          # Static assets
+```
+
+## Development
+
+- `npm run dev` - Start development server
+- `npm run build` - Build for production  
+- `npm run start` - Start production server
+- `npm run lint` - Run ESLint
+
+## Contributing
+
+1. Fork the repository
+2. Create a feature branch
+3. Make your changes
+4. Run linting and tests
+5. Submit a pull request
+
+## License
+
+See the main project LICENSE file.