checkmyhttps/server-php/README.md at master · checkmyhttps/checkmyhttps · GitHub
Skip to content

README.md

Latest commit

 

History

History
94 lines (64 loc) · 3.5 KB

README.md

File metadata and controls

94 lines (64 loc) · 3.5 KB

CheckMyHTTPS API server installation

  • You can choose between a manual or a scripted installation

Manual installation

REQUIREMENTS

  • You need an HTTPS server with PHP, the PHP class Normalizer (php-intl) and php-filter module
  • You also need a TMPFS partition for the cache. Here is the process (Linux):
  1. Add your administrator user to the group of your server. Example with an Apache server: [root]# usermod -a -G apache administrator
  2. Change the gid of the administrator (valid during this session only): [administrator]$ newgrp apache
  3. Create the cache directory: [administrator]$ mkdir /var/tmp/cmh_cache

Important: In the next 2 steps, you will need to replace 960 and 955 by the uid and the gid of your server (with Apache: id apache).

  1. Mount it with the good rights (apache:apache only): [root]# mount -t tmpfs -o mand,noatime,size=256m,nosuid,noexec,uid=960,gid=955,mode=770 tmpfs /var/tmp/cmh_cache
  2. Make it permanent (reboot-safe): add this line in /etc/fstab: tmpfs /var/tmp/cmh_cache tmpfs mand,noatime,size=256m,nosuid,noexec,uid=960,gid=955,mode=770 0 0

You can set the size you want for the cache. Here, we chose 256MB to store 64,000 records at the most.

The cache is enabled by default, but you can turn it off by setting the variable $use_cache to false in config.php.

  1. Create the RSA private key (PEM format) to sign the server's answers: openssl genrsa -out private_key 4096.
  2. Create the associated public key for the clients to check the server's signature: openssl rsa -in private_key -pubout -out public_key.
  3. Store your private key outside the web server folder. Copy the public key in the folder download/public_key.
  4. Edit config.php to set the path of your private key ($PRIVATE_KEY=/path_to_your_private_key).
  5. Edit config.php and replace ['checkmyhttps.net','www.checkmyhttps.net','185.235.207.57'] with all your server's FQDN and ip addresses.

INSTALLATION

  1. Copy the content of the www folder to your webroot.
  2. Then configure your clients to use your own check server.

Scripted installation

REQUIREMENTS

  • You need an HTTPS server with PHP and php-filter module
  1. Prepare the directory layout
  • sources
$HOME/checkmyhttps
  • wwwdir
/opt/checkmyhttps/www
  • private key dir
/opt/checkmyhttps/key
  • tmpdir
/opt/checkmyhttps/tmp
  • locate the server's https certificate
/etc/ssl/my.crt
  • locate the webserver or php user
www-data
  1. Add this line in /etc/fstab:

tmpfs /opt/checkmyhttps/tmp tmpfs mand,noatime,size=256m,nosuid,noexec,uid=www-data,gid=www-data,mode=770 0 0

mount /opt/checkmyhttps/tmp

INSTALLATION

  1. Run the script. You will be asked to generate a new app ssl certificate. Make sure to not add a / at the end of the directories.

./install.sh /opt/checkmyhttps/www /opt/checkmyhttps/key /etc/ssl/my.crt mydomain.com

Testing with Docker

  1. Put your certificate in confs/cert folder (with names: cert.cer, privkey.key and chain.cer).
  2. Build the Docker image: docker build -t checkmyhttps/cmh_server ..
  3. Run the docker container: docker run -it --rm -p 443:443 checkmyhttps/cmh_server.

More information

This server does not store clients data.

It only stores files containing the DNS resolution of checked hostnames and their certificates fingerprints, for a defined amount of time (default = 6 hours).

It is possible to log client request for debugging purposes. Edit config.php and set $LOG_REGS = true