Rustelo/config/features/tls.toml

# TLS Feature Configuration
# Settings for HTTPS/TLS support and SSL certificate management

[features]
tls = false  # Enable TLS/HTTPS support

# TLS Configuration
[tls]
enabled = false
port = 443
bind_address = "0.0.0.0"
protocols = ["TLSv1.2", "TLSv1.3"]
prefer_server_cipher_order = true
enable_http2 = true
enable_ocsp_stapling = false

# Certificate Configuration
[tls.certificates]
# Primary certificate
cert_path = "certs/server.crt"
key_path = "certs/server.key"
chain_path = "certs/chain.pem"
password_file = ""  # Path to file containing private key password

# Certificate validation
verify_client_certs = false
client_ca_path = ""
client_cert_optional = true

# Let's Encrypt Configuration
[tls.letsencrypt]
enabled = false
email = "admin@example.com"
domains = ["example.com", "www.example.com"]
acme_server = "https://acme-v02.api.letsencrypt.org/directory"
challenge_type = "http-01"  # "http-01", "dns-01", "tls-alpn-01"
cert_path = "certs/letsencrypt"
auto_renew = true
renew_days_before = 30

# Self-Signed Certificate Generation
[tls.self_signed]
enabled = false
country = "US"
state = "California"
city = "San Francisco"
organization = "Rustelo"
organizational_unit = "IT Department"
common_name = "localhost"
alt_names = ["127.0.0.1", "::1", "localhost"]
validity_days = 365
key_size = 2048

# Certificate Monitoring
[tls.monitoring]
check_expiry = true
expiry_warning_days = 30
expiry_critical_days = 7
notify_on_expiry = true
health_check_enabled = true

# Cipher Suites Configuration
[tls.ciphers]
# Modern cipher suites (recommended for production)
allowed_ciphers = [
    "TLS_AES_256_GCM_SHA384",
    "TLS_CHACHA20_POLY1305_SHA256",
    "TLS_AES_128_GCM_SHA256",
    "ECDHE-RSA-AES256-GCM-SHA384",
    "ECDHE-RSA-CHACHA20-POLY1305",
    "ECDHE-RSA-AES128-GCM-SHA256"
]

# Legacy support (use with caution)
allow_legacy_ciphers = false
legacy_ciphers = [
    "ECDHE-RSA-AES256-SHA384",
    "ECDHE-RSA-AES128-SHA256"
]

# Key Exchange
[tls.key_exchange]
ecdh_curves = ["X25519", "prime256v1", "secp384r1"]
dh_param_size = 2048
dh_param_file = ""  # Path to custom DH parameters

# Session Management
[tls.session]
enable_session_resumption = true
session_timeout = 300  # seconds
session_cache_size = 1024
enable_session_tickets = true
ticket_key_rotation_interval = 3600  # seconds

# HSTS (HTTP Strict Transport Security)
[tls.hsts]
enabled = true
max_age = 31536000  # 1 year in seconds
include_subdomains = true
preload = false

# Certificate Transparency
[tls.ct]
enabled = false
log_servers = [
    "https://ct.googleapis.com/rocketeer/",
    "https://ct.googleapis.com/aviator/"
]

# Performance Optimization
[tls.performance]
enable_zero_rtt = false  # TLS 1.3 0-RTT (use with caution)
enable_early_data = false
buffer_size = 16384
max_fragment_size = 16384
enable_compression = false  # Disabled for security (CRIME attack)

# Security Headers (when TLS is enabled)
[tls.security_headers]
enable_hsts = true
enable_hpkp = false  # HTTP Public Key Pinning (deprecated)
hpkp_pins = []
hpkp_max_age = 5184000  # 60 days
hpkp_include_subdomains = false

# HTTP to HTTPS Redirect
[tls.redirect]
enable_http_redirect = true
redirect_port = 80
permanent_redirect = true  # Use 301 instead of 302
redirect_status_code = 301

# Certificate Store Configuration
[tls.cert_store]
type = "file"  # "file", "vault", "aws_acm", "azure_keyvault"
auto_reload = true
reload_interval = 3600  # seconds

# AWS Certificate Manager Integration
[tls.cert_store.aws_acm]
region = "us-west-2"
certificate_arn = ""
use_iam_role = true
access_key_id = ""
secret_access_key = ""

# HashiCorp Vault Integration
[tls.cert_store.vault]
address = "https://vault.example.com:8200"
token = ""
mount_path = "pki"
role_name = "web-server"
common_name = "example.com"
ttl = "8760h"  # 1 year

# TLS Logging
[tls.logging]
log_handshakes = false
log_errors = true
log_certificate_validation = false
log_cipher_negotiation = false
debug_level = "info"  # "trace", "debug", "info", "warn", "error"

# Development Settings
[tls.development]
accept_invalid_certs = false
accept_self_signed = true
skip_cert_verification = false
log_all_tls_traffic = false
enable_tls_debug = false

# Load Balancer Integration
[tls.load_balancer]
proxy_protocol = false
real_ip_header = "X-Real-IP"
trusted_proxies = ["127.0.0.1", "::1"]
terminate_at_lb = false

# Rate Limiting for TLS Handshakes
[tls.rate_limiting]
max_handshakes_per_second = 100
max_handshakes_per_ip = 10
handshake_timeout = 10  # seconds
chore: add config path 2025-07-07 23:13:01 +01:00			`# TLS Feature Configuration`
			`# Settings for HTTPS/TLS support and SSL certificate management`

			`[features]`
			`tls = false # Enable TLS/HTTPS support`

			`# TLS Configuration`
			`[tls]`
			`enabled = false`
			`port = 443`
			`bind_address = "0.0.0.0"`
			`protocols = ["TLSv1.2", "TLSv1.3"]`
			`prefer_server_cipher_order = true`
			`enable_http2 = true`
			`enable_ocsp_stapling = false`

			`# Certificate Configuration`
			`[tls.certificates]`
			`# Primary certificate`
			`cert_path = "certs/server.crt"`
			`key_path = "certs/server.key"`
			`chain_path = "certs/chain.pem"`
			`password_file = "" # Path to file containing private key password`

			`# Certificate validation`
			`verify_client_certs = false`
			`client_ca_path = ""`
			`client_cert_optional = true`

			`# Let's Encrypt Configuration`
			`[tls.letsencrypt]`
			`enabled = false`
			`email = "admin@example.com"`
			`domains = ["example.com", "www.example.com"]`
			`acme_server = "https://acme-v02.api.letsencrypt.org/directory"`
			`challenge_type = "http-01" # "http-01", "dns-01", "tls-alpn-01"`
			`cert_path = "certs/letsencrypt"`
			`auto_renew = true`
			`renew_days_before = 30`

			`# Self-Signed Certificate Generation`
			`[tls.self_signed]`
			`enabled = false`
			`country = "US"`
			`state = "California"`
			`city = "San Francisco"`
			`organization = "Rustelo"`
			`organizational_unit = "IT Department"`
			`common_name = "localhost"`
			`alt_names = ["127.0.0.1", "::1", "localhost"]`
			`validity_days = 365`
			`key_size = 2048`

			`# Certificate Monitoring`
			`[tls.monitoring]`
			`check_expiry = true`
			`expiry_warning_days = 30`
			`expiry_critical_days = 7`
			`notify_on_expiry = true`
			`health_check_enabled = true`

			`# Cipher Suites Configuration`
			`[tls.ciphers]`
			`# Modern cipher suites (recommended for production)`
			`allowed_ciphers = [`
			`"TLS_AES_256_GCM_SHA384",`
			`"TLS_CHACHA20_POLY1305_SHA256",`
			`"TLS_AES_128_GCM_SHA256",`
			`"ECDHE-RSA-AES256-GCM-SHA384",`
			`"ECDHE-RSA-CHACHA20-POLY1305",`
			`"ECDHE-RSA-AES128-GCM-SHA256"`
			`]`

			`# Legacy support (use with caution)`
			`allow_legacy_ciphers = false`
			`legacy_ciphers = [`
			`"ECDHE-RSA-AES256-SHA384",`
			`"ECDHE-RSA-AES128-SHA256"`
			`]`

			`# Key Exchange`
			`[tls.key_exchange]`
			`ecdh_curves = ["X25519", "prime256v1", "secp384r1"]`
			`dh_param_size = 2048`
			`dh_param_file = "" # Path to custom DH parameters`

			`# Session Management`
			`[tls.session]`
			`enable_session_resumption = true`
			`session_timeout = 300 # seconds`
			`session_cache_size = 1024`
			`enable_session_tickets = true`
			`ticket_key_rotation_interval = 3600 # seconds`

			`# HSTS (HTTP Strict Transport Security)`
			`[tls.hsts]`
			`enabled = true`
			`max_age = 31536000 # 1 year in seconds`
			`include_subdomains = true`
			`preload = false`

			`# Certificate Transparency`
			`[tls.ct]`
			`enabled = false`
			`log_servers = [`
			`"https://ct.googleapis.com/rocketeer/",`
			`"https://ct.googleapis.com/aviator/"`
			`]`

			`# Performance Optimization`
			`[tls.performance]`
			`enable_zero_rtt = false # TLS 1.3 0-RTT (use with caution)`
			`enable_early_data = false`
			`buffer_size = 16384`
			`max_fragment_size = 16384`
			`enable_compression = false # Disabled for security (CRIME attack)`

			`# Security Headers (when TLS is enabled)`
			`[tls.security_headers]`
			`enable_hsts = true`
			`enable_hpkp = false # HTTP Public Key Pinning (deprecated)`
			`hpkp_pins = []`
			`hpkp_max_age = 5184000 # 60 days`
			`hpkp_include_subdomains = false`

			`# HTTP to HTTPS Redirect`
			`[tls.redirect]`
			`enable_http_redirect = true`
			`redirect_port = 80`
			`permanent_redirect = true # Use 301 instead of 302`
			`redirect_status_code = 301`

			`# Certificate Store Configuration`
			`[tls.cert_store]`
			`type = "file" # "file", "vault", "aws_acm", "azure_keyvault"`
			`auto_reload = true`
			`reload_interval = 3600 # seconds`

			`# AWS Certificate Manager Integration`
			`[tls.cert_store.aws_acm]`
			`region = "us-west-2"`
			`certificate_arn = ""`
			`use_iam_role = true`
			`access_key_id = ""`
			`secret_access_key = ""`

			`# HashiCorp Vault Integration`
			`[tls.cert_store.vault]`
			`address = "https://vault.example.com:8200"`
			`token = ""`
			`mount_path = "pki"`
			`role_name = "web-server"`
			`common_name = "example.com"`
			`ttl = "8760h" # 1 year`

			`# TLS Logging`
			`[tls.logging]`
			`log_handshakes = false`
			`log_errors = true`
			`log_certificate_validation = false`
			`log_cipher_negotiation = false`
			`debug_level = "info" # "trace", "debug", "info", "warn", "error"`

			`# Development Settings`
			`[tls.development]`
			`accept_invalid_certs = false`
			`accept_self_signed = true`
			`skip_cert_verification = false`
			`log_all_tls_traffic = false`
			`enable_tls_debug = false`

			`# Load Balancer Integration`
			`[tls.load_balancer]`
			`proxy_protocol = false`
			`real_ip_header = "X-Real-IP"`
			`trusted_proxies = ["127.0.0.1", "::1"]`
			`terminate_at_lb = false`

			`# Rate Limiting for TLS Handshakes`
			`[tls.rate_limiting]`
			`max_handshakes_per_second = 100`
			`max_handshakes_per_ip = 10`
			`handshake_timeout = 10 # seconds`