-
Notifications
You must be signed in to change notification settings - Fork 37
Configuration
Learn how to configure your instance of certstream-server-go. To get an idea of all the possible configuration options, please also see the sample.config.json. Keep in mind that the sample config in the master branch might already contain features that are not bundled in a release yet.
Since v1.9.0, the certstream server can be configured using environment variables. Configuration parsing and management are handled by Viper. Environment variable names are constructed by prefixing CERTSTREAM_ to the corresponding YAML configuration path, with keys written in uppercase and separated by underscores. For example, to override the webserver.listen_port setting, set the environment variable CERTSTREAM_WEBSERVER_LISTEN_PORT to your desired value.
Configuration values are applied in the following order of precedence: environment variables > values in the configuration file > default settings
The webserver config defines how the web server for the certstream service is operating. You can e.g. configure the interface/port the server is running on or you can define a whitelist to allow only certain network devices to connect to the tool.
| yaml key | type | Description | Example |
|---|---|---|---|
listen_addr |
string | Address for the websocket server to listen on | 0.0.0.0 |
listen_port |
int | Port for the websocket server to listen on | 80 |
cert_path |
string | Path to TLS certificate to serve https | /path/to/cert.crt |
cert_key_path |
string | Path to TLS certificate key to serve https | /path/to/cert.key |
real_ip |
bool | Port for the websocket server to listen on. Only use behind reverse proxy! | true |
whitelist |
[]string | Whitelist of IPs and CIDR ranges |
1.2.3.4, 127.0.0.0/8
|
full_url |
string | Websocket endpoint for certificates with all details | /full-stream |
lite_url |
string | Websocket endpoint for certificates with all reduced details (no as_der and chain fields) |
/ |
domains_only_url |
string | Websocket endpoint for domains of the processed certificates only | /domains-only |
compression_enabled |
bool | Specify if the server should attempt to negotiate per message compression (RFC 7692) | false |
The prometheus settings configure everything related to the prometheus metrics endpoint that is used to monitor the certstream server.
| yaml key | type | Description | Example |
|---|---|---|---|
enabled |
bool | Should prometheus metrics be exported? | true |
listen_addr |
string | Address for the websocket server to listen on | 0.0.0.0 |
listen_port |
int | Port for the websocket server to listen on | 80 |
cert_path |
string | Path to TLS certificate to serve https | /path/to/cert.crt |
cert_key_path |
string | Path to TLS certificate key to serve https | /path/to/cert.key |
real_ip |
bool | Port for the websocket server to listen on. Only use behind reverse proxy! | true |
whitelist |
[]string | Whitelist of IPs and CIDR ranges |
1.2.3.4, 127.0.0.0/8
|
metrics_url |
string | The URL at which the metrics are available | /metrics |
expose_system_metrics |
bool | Should Go system metrics be exposed as well? | false |
The general settings are used to configure various options such as the buffer sizes in order to make certstream-server-go perform better on slower hardware. Slow clients can lead to queue buildup, which leads to RAM consumption, which could lead to out-of-memory errors, if you run certstream-server-go on a small machine. See also this comment.
| yaml key | type | Description | Example |
|---|---|---|---|
disable_default_logs |
bool | Option to disable all logs provided via the Google v3 loglist. | true |
additional_logs |
[]object | List of additional CT logs to monitor. | See sample config |
buffer_sizes |
object | Configuration to overwrite internally used buffer sizes. In case your client is too slow, you'll receive "buffer is full" logs. The best solution for this is either to use a faster client or to upgrade to a stream processing tool like Kafka. | See sample config |
buffer_sizes.websocket |
int | Size of the buffer (# of certificates) used for each individual websocket connection. | 300 |
buffer_sizes.ctlog |
int | Size of the buffer (# of certificates) used for each individual CT Log connection. | 1000 |
buffer_sizes.broadcastmanager |
int | Size of the internal queue (# of certificates) of the broadcast manager. | 10000 |
drop_old_logs |
bool | Drop old logs, no longer advertised via the Google v3 loglist. | true |
recovery |
object | If enabled, the tool stores a json file that contains all the ct logs and the index of the certificate where the tool was last stopped. That way you can continue scanning from the last processed certificate without losing certificates during the downtime. | See sample config |
recovery.enabled |
bool | Option to enable the recovery feature. | true |
recovery.ct_index_file |
string | The file to store the index of the last processed certificate per each ct log. | ./ct_index.json |
Check out the sample configuration.