Container

Available Images

Docker Hub

secanis/tlscheck-api

podman run --rm -p 3000:3000 secanis/tlscheck-api

View on Docker Hub

GitHub Container Registry

ghcr.io/secanis/tlscheck-api

podman run --rm -p 3000:3000 ghcr.io/secanis/tlscheck-api

View on GitHub

Quick Start

podman run --rm -p 3000:3000 tlscheck/api

Recommended: Read-Only Container

For enhanced security, run the container with a read-only filesystem:

podman run --read-only --tmpfs /tmp --rm -p 3000:3000 tlscheck/api

This prevents any writes to the container filesystem, with /tmp mounted as a tmpfs.

Building the Image

podman build -t tlscheck/api .

Environment Variables

Pass environment variables using -e:

podman run --rm -e PORT=8080 -e LOG_LEVEL=debug -p 8080:3000 tlscheck/api

See Configuration for all available options.

Volume Mounts

No volumes are required. The container is self-contained.

Health Check

The image includes a built-in health check:

podman run --rm -p 3000:3000 tlscheck/api
# Check health
curl http://localhost:3000/health

Security Features

The container runs as a non-root user by default:

User: app (UID 1001)
Group: appgroup (GID 1001)

Docker Compose Example

version: '3.8'

services:
  tlscheck:
    image: tlscheck/api
    ports:
      - "3000:3000"
    environment:
      - PORT=3000
      - LOG_LEVEL=info
      - CACHE_TTL_MS=1800000
      - REVOCATION_MODE=ocsp
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:size=64m
    restart: unless-stopped

Production Deployment

For production, consider:

Use a reverse proxy (nginx, Caddy, traefik)
Enable HTTPS for the API
Set appropriate CACHE_TTL_MS for your traffic
Monitor logs via LOG_LEVEL=info (default)
Configure rate limiting via RATE_LIMIT_MAX and RATE_LIMIT_WINDOW_MS