# TLS Feature Configuration - Production Environment # Settings optimized for production security and performance [features] tls = true # TLS Configuration - Production [server.tls] enabled = true cert_path = "${TLS_CERT_PATH}" key_path = "${TLS_KEY_PATH}" ca_path = "${TLS_CA_PATH}" protocols = ["TLSv1.3"] ciphers = [ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256" ] cert_chain_path = "${TLS_CERT_CHAIN_PATH}" dhparam_path = "${TLS_DHPARAM_PATH}" # Self-signed certificate configuration - Disabled for production [tls.self_signed] generate_on_startup = false common_name = "" subject_alt_names = [] key_size = 4096 valid_days = 90 organization = "${COMPANY_NAME}" country = "${COUNTRY_CODE}" state = "${STATE}" locality = "${CITY}" # ACME/Let's Encrypt - Production [tls.acme] enabled = true directory_url = "https://acme-v02.api.letsencrypt.org/directory" email = "${ACME_EMAIL}" domains = ["${DOMAIN}", "www.${DOMAIN}"] challenge_type = "http" key_type = "ecdsa256" auto_renew = true renew_days_before_expiry = 30 backup_count = 5 # mTLS (Mutual TLS) - Production [tls.mtls] enabled = false client_ca_path = "${CLIENT_CA_PATH}" verify_client_cert = false require_client_cert = false client_cert_header = "X-Client-Cert" # TLS Session Management - Production [tls.session] timeout = 300 # 5 minutes cache_size = 10000 resumption_enabled = true session_tickets = true session_ticket_key_rotation = 3600 # 1 hour # Security Settings - Strict for production [tls.security] min_version = "TLSv1.3" max_version = "TLSv1.3" prefer_server_ciphers = true enable_sni = true enable_ocsp_stapling = true enable_hsts = true hsts_max_age = 31536000 # 1 year hsts_include_subdomains = true hsts_preload = true # Certificate Monitoring - Production [tls.monitoring] enabled = true check_expiry = true expiry_warning_days = 30 alert_email = "${ADMIN_EMAIL}" certificate_transparency_logs = true # Performance Settings - Production [tls.performance] enable_http2 = true enable_http3 = false compression = false # Disabled for security (BREACH attack) early_data = false # Disabled for security buffer_size = 16384 connection_pool_size = 1000 # Certificate Rotation - Production [tls.rotation] enabled = true backup_old_certs = true backup_directory = "certs/backup" rotation_schedule = "0 2 * * 0" # Weekly at 2 AM Sunday max_backup_age_days = 90 # Development Settings - Disabled for production [tls.development] allow_self_signed = false skip_verification = false log_handshake_errors = false # Compliance and Auditing - Production [tls.compliance] log_all_connections = true log_certificate_details = true audit_log_path = "logs/tls_audit.log" retain_logs_days = 365 pci_dss_compliant = true fips_140_2_compliant = false # Load Balancer Integration - Production [tls.load_balancer] proxy_protocol = false real_ip_header = "X-Real-IP" forwarded_proto_header = "X-Forwarded-Proto" trust_proxy_headers = true trusted_proxies = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]