diff options
Diffstat (limited to 'public/crt-sh-architecture.html')
-rw-r--r-- | public/crt-sh-architecture.html | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/public/crt-sh-architecture.html b/public/crt-sh-architecture.html new file mode 100644 index 0000000..bf1b71c --- /dev/null +++ b/public/crt-sh-architecture.html @@ -0,0 +1,87 @@ +<!DOCTYPE html> +<html lang="en"> +<head> + <meta charset="utf-8"> + <title>The interesting architecture of crt.sh — Luke T. Shumaker</title> + <meta name="viewport" content="width=device-width, initial-scale=1"> + <link rel="stylesheet" href="assets/style.css"> + <link rel="alternate" type="application/atom+xml" href="./index.atom" name="web log entries"/> +</head> +<body> +<header><a href="/">Luke T. Shumaker</a> » <a href=/blog>blog</a> » crt-sh-architecture</header> +<article> +<h1 id="the-interesting-architecture-of-crt.sh">The interesting +architecture of crt.sh</h1> +<p>A while back I wrote myself a little dashboard for monitoring TLS +certificates for my domains. Right now it works by talking to <a +href="https://crt.sh/" class="uri">https://crt.sh/</a>. Sometimes this +works great, but sometimes crt.sh is really slow. Plus, it’s another +thing that could be compromised.</p> +<p>So, I started looking at how crt.sh works. It’s kinda cool.</p> +<p>There are only 3 separate processes:</p> +<ul> +<li>Cron +<ul> +<li><a +href="https://github.com/crtsh/ct_monitor"><code>ct_monitor</code></a> +is program that uses libcurl to get CT log changes and libpq to put them +into the database.</li> +</ul></li> +<li>PostgreSQL +<ul> +<li><a +href="https://github.com/crtsh/certwatch_db"><code>certwatch_db</code></a> +is the core web application, written in PL/pgSQL. It even includes the +HTML templating and query parameter handling. Of course, there are a +couple of things not entirely done in pgSQL…</li> +<li><a +href="https://github.com/crtsh/libx509pq"><code>libx509pq</code></a> +adds a set of <code>x509_*</code> functions callable from pgSQL for +parsing X509 certificates.</li> +<li><a +href="https://github.com/crtsh/libcablintpq"><code>libcablintpq</code></a> +adds the <code>cablint_embedded(bytea)</code> function to pgSQL.</li> +<li><a +href="https://github.com/crtsh/libx509lintpq"><code>libx509lintpq</code></a> +adds the <code>x509lint_embedded(bytea,integer)</code> function to +pgSQL.</li> +</ul></li> +<li>Apache HTTPD +<ul> +<li><a +href="https://github.com/crtsh/mod_certwatch"><code>mod_certwatch</code></a> +is a pretty thin wrapper that turns every HTTP request into an SQL +statement sent to PostgreSQL, via…</li> +<li><a +href="https://github.com/crtsh/mod_pgconn"><code>mod_pgconn</code></a>, +which manages PostgreSQL connections.</li> +</ul></li> +</ul> +<p>The interface exposes HTML, ATOM, and JSON. All from code written in +SQL.</p> +<p>And then I guess it’s behind an nginx-based load-balancer or somesuch +(based on the 504 Gateway Timout messages it’s given me). But that’s not +interesting.</p> +<p>The actual website is <a +href="https://groups.google.com/d/msg/mozilla.dev.security.policy/EPv_u9V06n0/gPJY5T7ILlQJ">run +from a read-only slave</a> of the master DB that the +<code>ct_monitor</code> cron-job updates; which makes several security +considerations go away, and makes horizontal scaling easy.</p> +<p>Anyway, I thought it was neat that so much of it runs inside the +database; you don’t see that terribly often. I also thought the little +shims to make that possible were neat. I didn’t get deep enough in to it +to end up running my own instance or clone, but I thought my notes on it +were worth sharing.</p> + +</article> +<footer> + <aside class="sponsor"><p>I'd love it if you <a class="em" + href="/sponsor/">sponsored me</a>. It will allow me to continue + <a class="em" href="/imworkingon/">my work</a> on the GNU/Linux + ecosystem. Thanks!</p></aside> + +<p>The content of this page is Copyright © 2018 <a href="mailto:lukeshu@lukeshu.com">Luke T. Shumaker</a>.</p> +<p>This page is licensed under the <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a> license.</p> +</footer> +</body> +</html> |