{"id":45492539,"url":"https://github.com/burakozcn01/certstream-server-rust","last_synced_at":"2026-02-22T17:29:11.197Z","repository":{"id":330772354,"uuid":"1122949558","full_name":"burakozcn01/certstream-server-rust","owner":"burakozcn01","description":"High-performance Certificate Transparency (CT) monitoring tool written in Rust. Real-time stream of newly issued SSL/TLS certificates from CT logs. Rust implementation of certstream-server with improved performance and memory efficiency.","archived":false,"fork":false,"pushed_at":"2026-02-22T03:16:15.000Z","size":121,"stargazers_count":6,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-22T09:23:01.360Z","etag":null,"topics":["certificate-transparency","certstream","ct-logs","rust","security","threat-intelligence","websocket","x509"],"latest_commit_sha":null,"homepage":"https://certstream.dev/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/burakozcn01.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-25T22:24:07.000Z","updated_at":"2026-02-22T00:23:30.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/burakozcn01/certstream-server-rust","commit_stats":null,"previous_names":["burakozcn01/certstream-server-rust"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/burakozcn01/certstream-server-rust","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/burakozcn01%2Fcertstream-server-rust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/burakozcn01%2Fcertstream-server-rust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/burakozcn01%2Fcertstream-server-rust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/burakozcn01%2Fcertstream-server-rust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/burakozcn01","download_url":"https://codeload.github.com/burakozcn01/certstream-server-rust/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/burakozcn01%2Fcertstream-server-rust/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29720563,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-22T15:10:41.462Z","status":"ssl_error","status_checked_at":"2026-02-22T15:10:04.636Z","response_time":110,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-transparency","certstream","ct-logs","rust","security","threat-intelligence","websocket","x509"],"created_at":"2026-02-22T17:29:10.092Z","updated_at":"2026-02-22T17:29:11.181Z","avatar_url":"https://github.com/burakozcn01.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# certstream-server-rust\n\nA high-performance **certstream server** written in Rust. Monitors Certificate Transparency logs and streams newly issued SSL/TLS certificates in real-time via WebSocket and SSE. \n\n[![GHCR](https://img.shields.io/badge/ghcr.io-burakozcn01%2Fcertstream--server--rust-blue?logo=github)](https://github.com/burakozcn01/certstream-server-rust/pkgs/container/certstream-server-rust)\n[![Rust](https://img.shields.io/badge/rust-1.88%2B-orange.svg)](https://www.rust-lang.org/)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)\n[![Docs](https://img.shields.io/badge/docs-certstream.dev-blue.svg)](https://certstream.dev/)\n\n## What is Certstream?\n\nCertstream aggregates certificates from Certificate Transparency (CT) logs and streams them in real-time. It provides a firehose of newly issued SSL/TLS certificates that you can filter and process for your own purposes.\n\nThis Rust implementation delivers better performance than certstream-server-go while maintaining full compatibility with existing certstream clients.\n\n### Why Rust?\n\n- 27 MB memory idle, ~150 MB stable RSS under load (flat — no growth over time)\n- ~1,000 msg/s sustained CT ingest rate; zero-copy broadcast via `Arc\u003cPreSerializedMessage\u003e`\n- 8.4 ms average latency\n- 23% CPU with 500 clients\n- SIMD-accelerated JSON via `simd-json` (enabled by default)\n- Single binary, no dependencies\n\n## Features\n\n- WebSocket and Server-Sent Events (SSE)\n- Pre-serialized messages for efficient broadcasting\n- 60+ Certificate Transparency logs monitored (Google, Cloudflare, DigiCert, Sectigo, Let's Encrypt)\n- State persistence - resume from last position after restart\n- Connection limiting - protect against abuse with per-IP and total limits\n- Token authentication - Bearer token based API access control\n- Hot reload - config changes apply without restart\n- Rate limiting - token bucket + sliding window algorithm\n- Circuit breaker - automatic isolation of failing CT logs with exponential backoff\n- Prometheus metrics endpoint (/metrics)\n- Health check endpoint (/health)\n- REST API for server stats and CT log health\n- Certificate lookup by SHA256, SHA1, or fingerprint\n\n## Documentation\n\nVisit **[certstream.dev](https://certstream.dev/)** for:\n- Detailed API documentation\n- Client examples and integration guides\n- Self-hosting guide\n\n## Quick Start\n\n```bash\ndocker run -d -p 8080:8080 ghcr.io/burakozcn01/certstream-server-rust:latest\n\ndocker run -d \\\n  --name certstream \\\n  --restart unless-stopped \\\n  -p 8080:8080 \\\n  -v certstream-state:/data \\\n  -e CERTSTREAM_CT_LOG_STATE_FILE=/data/state.json \\\n  -e CERTSTREAM_CONNECTION_LIMIT_ENABLED=true \\\n  ghcr.io/burakozcn01/certstream-server-rust:latest\n```\n\n### Environment Variables\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `CERTSTREAM_HOST` | 0.0.0.0 | Bind address |\n| `CERTSTREAM_PORT` | 8080 | HTTP/WebSocket port |\n| `CERTSTREAM_LOG_LEVEL` | info | debug, info, warn, error |\n| `CERTSTREAM_BUFFER_SIZE` | 1000 | Broadcast buffer |\n\n**Protocols**\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `CERTSTREAM_WS_ENABLED` | true | Enable WebSocket |\n| `CERTSTREAM_SSE_ENABLED` | true | Enable SSE |\n| `CERTSTREAM_METRICS_ENABLED` | true | Enable /metrics endpoint |\n| `CERTSTREAM_HEALTH_ENABLED` | true | Enable /health endpoint |\n| `CERTSTREAM_EXAMPLE_JSON_ENABLED` | true | Enable /example.json endpoint |\n| `CERTSTREAM_API_ENABLED` | false | Enable REST API endpoints |\n\n**Connection Limiting**\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `CERTSTREAM_CONNECTION_LIMIT_ENABLED` | false | Enable connection limits |\n| `CERTSTREAM_CONNECTION_LIMIT_MAX_CONNECTIONS` | 10000 | Max total connections |\n| `CERTSTREAM_CONNECTION_LIMIT_PER_IP_LIMIT` | 100 | Max per IP |\n\n**Authentication**\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `CERTSTREAM_AUTH_ENABLED` | false | Enable token auth |\n| `CERTSTREAM_AUTH_TOKENS` | - | Comma-separated tokens |\n| `CERTSTREAM_AUTH_HEADER_NAME` | Authorization | Auth header |\n\n**Rate Limiting**\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `CERTSTREAM_RATE_LIMIT_ENABLED` | false | Enable rate limiting |\n\nRate limiting uses a hybrid token bucket + sliding window algorithm with tier-based limits (Free, Standard, Premium).\n\n**CT Log Settings**\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `CERTSTREAM_CT_LOG_STATE_FILE` | certstream_state.json | State file path |\n| `CERTSTREAM_CT_LOG_RETRY_MAX_ATTEMPTS` | 3 | Max retry attempts |\n| `CERTSTREAM_CT_LOG_REQUEST_TIMEOUT_SECS` | 30 | Request timeout |\n| `CERTSTREAM_CT_LOG_BATCH_SIZE` | 256 | Entries per batch |\n\n**Hot Reload**\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `CERTSTREAM_HOT_RELOAD_ENABLED` | false | Enable hot reload |\n| `CERTSTREAM_HOT_RELOAD_WATCH_PATH` | - | Config file to watch |\n\n### Build from Source\n\n```bash\n# Docker Compose\ndocker compose up -d\n```\n\n## API\n\n### WebSocket\n\n| Endpoint | Description |\n|----------|-------------|\n| `ws://host:8080/` | Lite stream (no DER/chain) |\n| `ws://host:8080/full-stream` | Full data with DER and chain |\n| `ws://host:8080/domains-only` | Just domain names (`message_type: \"dns_entries\"`, `data` is a bare string array) |\n\n### SSE\n\n| Endpoint | Description |\n|----------|-------------|\n| `http://host:8080/sse` | Lite (default) |\n| `http://host:8080/sse?stream=full` | Full |\n| `http://host:8080/sse?stream=domains` | Domains only |\n\n### HTTP\n\n| Endpoint | Description |\n|----------|-------------|\n| `/health` | Basic health check (returns \"OK\") |\n| `/health/deep` | Detailed health with log status, connections, uptime (JSON) |\n| `/metrics` | Prometheus metrics |\n| `/example.json` | Example message |\n\n### REST API\n\nEnable with `CERTSTREAM_API_ENABLED=true`.\n\n| Endpoint | Description |\n|----------|-------------|\n| `GET /api/stats` | Server statistics (uptime, connections, throughput, cache) |\n| `GET /api/logs` | CT log health status (healthy, degraded, unhealthy counts) |\n| `GET /api/cert/{hash}` | Lookup certificate by SHA256, SHA1, or fingerprint |\n\nExample:\n```bash\n# Get server stats\ncurl http://localhost:8080/api/stats\n\n# Get CT log health\ncurl http://localhost:8080/api/logs\n\n# Lookup certificate by SHA256 hash\ncurl http://localhost:8080/api/cert/F0E2023BCAACBF9D40A4E2C767E77B46BA96AE81240EBC525FA43C0A50BFACDE\n\n# Deep health check (returns JSON with detailed status)\ncurl http://localhost:8080/health/deep\n# {\"status\":\"healthy\",\"logs_healthy\":27,\"logs_degraded\":0,\"logs_unhealthy\":0,\"logs_total\":27,\"active_connections\":0,\"uptime_secs\":3600}\n```\n\n## Performance Comparison\n\nBenchmarked with 500 concurrent WebSocket clients, 60 seconds, identical conditions (2 CPU cores, 2GB RAM per container):\n\n| Metric | Rust | Go | Elixir |\n|--------|------|-----|--------|\n| Memory (idle) | 27 MB | 49 MB | 230 MB |\n| Memory (under load, stable) | ~150 MB | 309 MB | 649 MB |\n| CPU (idle) | 5% | 36% | 172% |\n| CPU (under load) | 23% | 72% | 206% |\n| Throughput | 48.6K msg/s | 27K msg/s | 19K msg/s |\n| Avg Latency | 8.4 ms | 9.2 ms | 26.8 ms |\n| P99 Latency | 172 ms | 187 ms | 297 ms |\n| Connect Time | 162 ms | 156 ms | 784 ms |\n\n**Rust vs Elixir**: ~4x less memory under load (flat ~150MB RSS), 2.5x higher throughput, 3.2x lower latency\n**Rust vs Go**: ~2x less memory under load, 3x lower CPU, 1.8x higher throughput\n\n## Certificate Transparency Logs\n\nCertstream monitors 60+ CT logs from major providers:\n\n| Provider | Logs |\n|----------|------|\n| Google | Argon, Xenon, Solera, Submariner |\n| Cloudflare | Nimbus |\n| DigiCert | Wyvern, Sphinx |\n| Sectigo | Elephant, Tiger, Dodo |\n| Let's Encrypt | Willow, Sycamore (Static CT — 2025h2/2026h1) |\n| Others | TrustAsia, Nordu, and more |\n\n## Release Notes\n\nSee [RELEASE_NOTES.md](RELEASE_NOTES.md) for version history.\n\n## License\n\nMIT - see [LICENSE](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fburakozcn01%2Fcertstream-server-rust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fburakozcn01%2Fcertstream-server-rust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fburakozcn01%2Fcertstream-server-rust/lists"}