Pēteris Caune 959df1ffaa | 4 years ago | |
---|---|---|
.github/workflows | 4 years ago | |
hc | 4 years ago | |
locale | 4 years ago | |
static | 4 years ago | |
stuff | 4 years ago | |
templates | 4 years ago | |
.gitignore | 6 years ago | |
CHANGELOG.md | 4 years ago | |
LICENSE | 5 years ago | |
README.md | 4 years ago | |
manage.py | 10 years ago | |
requirements.txt | 4 years ago |
healthchecks is a watchdog for your cron jobs. It's a web server that listens for pings from your cron jobs, plus a web interface.
It is live here: http://healthchecks.io/
The building blocks are:
These are instructions for setting up healthchecks Django app in development environment.
install dependencies (Debian/Ubuntu)
$ sudo apt-get update
$ sudo apt-get install -y gcc python3-dev python3-venv
prepare directory for project code and virtualenv:
$ mkdir -p ~/webapps
$ cd ~/webapps
prepare virtual environment (with virtualenv you get pip, we'll use it soon to install requirements):
$ python3 -m venv hc-venv
$ source hc-venv/bin/activate
check out project code:
$ git clone https://github.com/healthchecks/healthchecks.git
install requirements (Django, ...) into virtualenv:
$ pip install -r healthchecks/requirements.txt
healthchecks is configured to use a SQLite database by default. To use
PostgreSQL or MySQL database, create and edit hc/local_settings.py
file.
There is a template you can copy and edit as needed:
$ cd ~/webapps/healthchecks
$ cp hc/local_settings.py.example hc/local_settings.py
create database tables and the superuser account:
$ cd ~/webapps/healthchecks
$ ./manage.py migrate
$ ./manage.py createsuperuser
run development server:
$ ./manage.py runserver
The site should now be running at http://localhost:8000
.
To access Django administration site, log in as a super user, then
visit http://localhost:8000/admin
Healthchecks prepares its configuration in hc/settings.py
. It reads configuration
from two places:
hc/local_settings.py
file, if it existsYou can use either mechanism, depending on what is more convenient. Using
hc/local_settings.py
allows more flexibility: you can set
each and every Django setting,
you can run Python code to load configuration from an external source.
Healthchecks reads configuration from the following environment variables:
Environment variable | Default value | Notes |
---|---|---|
SECRET_KEY | "---" |
|
DEBUG | True |
Set to False for production |
ALLOWED_HOSTS | * |
Separate multiple hosts with commas |
DEFAULT_FROM_EMAIL | "[email protected]" |
|
USE_PAYMENTS | False |
|
REGISTRATION_OPEN | True |
|
DB | "sqlite" |
Set to "postgres" or "mysql" |
DB_HOST | "" (empty string) |
|
DB_PORT | "" (empty string) |
|
DB_NAME | "hc" (PostgreSQL, MySQL) or "/path/to/project/hc.sqlite" (SQLite) |
For SQLite, specify the full path to the database file. |
DB_USER | "postgres" or "root" |
|
DB_PASSWORD | "" (empty string) |
|
DB_CONN_MAX_AGE | 0 |
|
DB_SSLMODE | "prefer" |
PostgreSQL-specific, details |
DB_TARGET_SESSION_ATTRS | "read-write" |
PostgreSQL-specific, details |
EMAIL_HOST | "" (empty string) |
|
EMAIL_PORT | "587" |
|
EMAIL_HOST_USER | "" (empty string) |
|
EMAIL_HOST_PASSWORD | "" (empty string) |
|
EMAIL_USE_TLS | "True" |
|
EMAIL_USE_VERIFICATION | "True" |
Whether to send confirmation links when adding email integrations |
SITE_ROOT | "http://localhost:8000" |
|
SITE_NAME | "Mychecks" |
|
RP_ID | None |
Enables WebAuthn support |
MASTER_BADGE_LABEL | "Mychecks" |
|
PING_ENDPOINT | "http://localhost:8000/ping/" |
|
PING_EMAIL_DOMAIN | "localhost" |
|
PING_BODY_LIMIT | 10000 | In bytes. Set to None to always log full request body |
APPRISE_ENABLED | "False" |
|
DISCORD_CLIENT_ID | None |
|
DISCORD_CLIENT_SECRET | None |
|
LINENOTIFY_CLIENT_ID | None |
|
LINENOTIFY_CLIENT_SECRET | None |
|
MATRIX_ACCESS_TOKEN | None |
|
MATRIX_HOMESERVER | None |
|
MATRIX_USER_ID | None |
|
PD_VENDOR_KEY | None |
|
PUSHBULLET_CLIENT_ID | None |
|
PUSHBULLET_CLIENT_SECRET | None |
|
PUSHOVER_API_TOKEN | None |
|
PUSHOVER_EMERGENCY_EXPIRATION | 86400 |
|
PUSHOVER_EMERGENCY_RETRY_DELAY | 300 |
|
PUSHOVER_SUBSCRIPTION_URL | None |
|
REMOTE_USER_HEADER | None |
See External Authentication for details. |
SHELL_ENABLED | "False" |
|
SLACK_CLIENT_ID | None |
|
SLACK_CLIENT_SECRET | None |
|
TELEGRAM_BOT_NAME | "ExampleBot" |
|
TELEGRAM_TOKEN | None |
|
TRELLO_APP_KEY | None |
|
TWILIO_ACCOUNT | None |
|
TWILIO_AUTH | None |
|
TWILIO_FROM | None |
|
TWILIO_USE_WHATSAPP | "False" |
Some useful settings keys to override are:
SITE_ROOT
is used to build fully qualified URLs for pings, and for use in
emails and notifications. Example:
SITE_ROOT = "https://my-monitoring-project.com"
SITE_NAME
has the default value of "Mychecks" and is used throughout
the templates. Replace it with your own name to personalize your installation.
Example:
SITE_NAME = "My Monitoring Project"
REGISTRATION_OPEN
controls whether site visitors can create new accounts.
Set it to False
if you are setting up a private healthchecks instance, but
it needs to be publicly accessible (so, for example, your cloud services
can send pings).
If you close new user registration, you can still selectively invite users to your team account.
EMAIL_USE_VERIFICATION
enables/disables the sending of a verification
link when an email address is added to the list of notification methods.
Set it to False
if you are setting up a private healthchecks instance where
you trust your users and want to avoid the extra verification step.
PING_BODY_LIMIT
sets the size limit in bytes for logged ping request bodies.
The default value is 10000 (10 kilobytes). You can remove the limit altogether by
setting this value to None
.
Database configuration is loaded from environment variables. If you
need to use a non-standard configuration, you can override the
database configuration in hc/local_settings.py
like so:
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': 'your-database-name-here',
'USER': 'your-database-user-here',
'PASSWORD': 'your-database-password-here',
'TEST': {'CHARSET': 'UTF8'},
'OPTIONS': {
... your custom options here ...
}
}
}
healthchecks comes with Django's administration panel where you can manually view and modify user accounts, projects, checks, integrations etc. To access it,
./manage.py createsuperuser
healthchecks must be able to send email messages, so it can send out login
links and alerts to users. Environment variables can be used to configure
SMTP settings, or your may put your SMTP server configuration in
hc/local_settings.py
like so:
EMAIL_HOST = "your-smtp-server-here.com"
EMAIL_PORT = 587
EMAIL_HOST_USER = "username"
EMAIL_HOST_PASSWORD = "password"
EMAIL_USE_TLS = True
For more information, have a look at Django documentation, Sending Email section.
healthchecks comes with a smtpd
management command, which starts up a
SMTP listener service. With the command running, you can ping your
checks by sending email messages
to [email protected]
email addresses.
Start the SMTP listener on port 2525:
$ ./manage.py smtpd --port 2525
Send a test email:
$ curl --url 'smtp://127.0.0.1:2525' \
--mail-from '[email protected]' \
--mail-rcpt '[email protected]' \
-F '='
healtchecks comes with a sendalerts
management command, which continuously
polls database for any checks changing state, and sends out notifications as
needed. Within an activated virtualenv, you can manually run
the sendalerts
command like so:
$ ./manage.py sendalerts
In a production setup, you will want to run this command from a process manager like supervisor or systemd.
With time and use the healthchecks database will grow in size. You may decide to prune old data: inactive user accounts, old checks not assigned to users, records of outgoing email messages and records of received pings. There are separate Django management commands for each task:
Remove old records from api_ping
table. For each check, keep 100 most
recent pings:
$ ./manage.py prunepings
Remove old records of sent notifications. For each check, remove notifications that are older than the oldest stored ping for same check.
$ ./manage.py prunenotifications
Remove user accounts that match either of these conditions:
Account was created more than 6 months ago, and user has never logged in. These can happen when user enters invalid email address when signing up.
Last login was more than 6 months ago, and the account has no checks. Assume the user doesn't intend to use the account any more and would probably want it removed.
$ ./manage.py pruneusers
Remove old records from the api_tokenbucket
table. The TokenBucket
model is used for rate-limiting login attempts and similar operations.
Any records older than one day can be safely removed.
$ ./manage.py prunetokenbucket
Remove old records from the api_flip
table. The Flip
objects are used to track status changes of checks, and to calculate
downtime statistics month by month. Flip objects from more than 3 months
ago are not used and can be safely removed.
$ ./manage.py pruneflips
When you first try these commands on your data, it is a good idea to test them on a copy of your database, not on the live database right away. In a production setup, you should also have regular, automated database backups set up.
Healthchecks optionally supports two-factor authentication using the WebAuthn
standard. To enable WebAuthn support, set the RP_ID
(relying party identifier )
setting to a non-null value. Set its value to your site's domain without scheme
and without port. For example, if your site runs on https://my-hc.example.org
,
set RP_ID
to my-hc.example.org
.
Note that WebAuthn requires HTTPS, even if running on localhost. To test WebAuthn
locally with a self-signed certificate, you can use the runsslserver
command
from the django-sslserver
package.
HealthChecks supports external authentication by means of HTTP headers set by reverse proxies or the WSGI server. This allows you to integrate it into your existing authentication system (e.g., LDAP or OAuth) via an authenticating proxy. When this option is enabled, healtchecks will trust the header's value implicitly, so it is very important to ensure that attackers cannot set the value themselves (and thus impersonate any user). How to do this varies by your chosen proxy, but generally involves configuring it to strip out headers that normalize to the same name as the chosen identity header.
To enable this feature, set the REMOTE_USER_HEADER
value to a header you wish to
authenticate with. HTTP headers will be prefixed with HTTP_
and have any dashes
converted to underscores. Headers without that prefix can be set by the WSGI server
itself only, which is more secure.
When REMOTE_USER_HEADER
is set, Healthchecks will:
To enable the Slack "self-service" integration, you will need to create a "Slack App".
To do so:
incoming-webhook
for the Bot Token Scopes
https://api.slack.com/apps/APP_ID/oauth?).SITE_ROOT/integrations/add_slack_btn/
.
For example, if your SITE_ROOT is https://my-hc.example.org
then the redirect URL would be
https://my-hc.example.org/integrations/add_slack_btn/
.SLACK_CLIENT_ID
and SLACK_CLIENT_SECRET
environment
variables.To enable Discord integration, you will need to:
SITE_ROOT/integrations/add_discord/
. For example, if you are running a
development server on localhost:8000
then the redirect URI would be
http://localhost:8000/integrations/add_discord/
DISCORD_CLIENT_ID
and DISCORD_CLIENT_SECRET
environment
variables.Pushover integration works by creating an application on Pushover.net which is then subscribed to by Healthchecks users. The registration workflow is as follows:
To enable the Pushover integration, you will need to:
http://healthchecks.example.com/
).PUSHOVER_API_TOKEN
and PUSHOVER_SUBSCRIPTION_URL
environment
variables. The Pushover subscription URL should look similar to
https://pushover.net/subscribe/yourAppName-randomAlphaNumericData
.Create a Telegram bot by talking to the BotFather. Set the bot's name, description, user picture, and add a "/start" command.
After creating the bot you will have the bot's name and token. Put them
in TELEGRAM_BOT_NAME
and TELEGRAM_TOKEN
environment variables.
Run settelegramwebhook
management command. This command tells Telegram
where to forward channel messages by invoking Telegram's
setWebhook API call:
$ ./manage.py settelegramwebhook
Done, Telegram's webhook set to: https://my-monitoring-project.com/integrations/telegram/bot/
For this to work, your SITE_ROOT
needs to be correct and use "https://"
scheme.
To enable Apprise integration, you will need to:
pip install apprise
APPRISE_ENABLED
environment variable.The "Shell Commands" integration runs user-defined local shell commands when checks
go up or down. This integration is disabled by default, and can be enabled by setting
the SHELL_ENABLED
environment variable to True
.
Note: be careful when using "Shell Commands" integration, and only enable it when
you fully trust the users of your Healthchecks instance. The commands will be executed
by the manage.py sendalerts
process, and will run with the same system permissions as
the sendalerts
process.
To enable the Matrix integration you will need to:
MATRIX_
environment variables. Example:MATRIX_HOMESERVER=https://matrix.org
MATRIX_USER_ID=@mychecks:matrix.org
MATRIX_ACCESS_TOKEN=[a long string of characters returned by the login call]
Here is a non-exhaustive list of pointers and things to check before launching a Healthchecks instance in production.
False
.manage.py compress
command whenever files in the /static/
directory change.manage.py collectstatic
command whenever files in the /static/
directory change. This command collects all the static files inside the static-collected
directory.
Configure your web server to serve files from this directory under the /static/
prefix../manage.py migrate
.manage.py runserver
is intended for development only. Do not use it in production,
instead consider using uWSGI or
gunicorn.manage.py sendalerts
command is running and can survive server restarts.
On modern linux systems, a good option is to
define a systemd service for it.