Luke Shumaker » blog » crt-sh-architecture

The interesting architecture of

A while back I wrote myself a little dashboard for monitoring TLS certificates for my domains. Right now it works by talking to Sometimes this works great, but sometimes is really slow. Plus, it’s another thing that could be compromised.

So, I started looking at how works. It’s kinda cool.

There are only 3 separate processes:

The interface exposes HTML, ATOM, and JSON. All from code written in SQL.

And then I guess it’s behind an nginx-based load-balancer or somesuch (based on the 504 Gateway Timout messages it’s given me). But that’s not interesting.

The actual website is run from a read-only slave of the master DB that the ct_monitor cron-job updates; which makes several security considerations go away, and makes horizontal scaling easy.

Anyway, I thought it was neat that so much of it runs inside the database; you don’t see that terribly often. I also thought the little shims to make that possible were neat. I didn’t get deep enough in to it to end up running my own instance or clone, but I thought my notes on it were worth sharing.