# TLS Feature Configuration # Settings for HTTPS/TLS support and SSL certificate management [features] tls = false # Enable TLS/HTTPS support # TLS Configuration [tls] enabled = false port = 443 bind_address = "0.0.0.0" protocols = ["TLSv1.2", "TLSv1.3"] prefer_server_cipher_order = true enable_http2 = true enable_ocsp_stapling = false # Certificate Configuration [tls.certificates] # Primary certificate cert_path = "certs/server.crt" key_path = "certs/server.key" chain_path = "certs/chain.pem" password_file = "" # Path to file containing private key password # Certificate validation verify_client_certs = false client_ca_path = "" client_cert_optional = true # Let's Encrypt Configuration [tls.letsencrypt] enabled = false email = "admin@example.com" domains = ["example.com", "www.example.com"] acme_server = "https://acme-v02.api.letsencrypt.org/directory" challenge_type = "http-01" # "http-01", "dns-01", "tls-alpn-01" cert_path = "certs/letsencrypt" auto_renew = true renew_days_before = 30 # Self-Signed Certificate Generation [tls.self_signed] enabled = false country = "US" state = "California" city = "San Francisco" organization = "Rustelo" organizational_unit = "IT Department" common_name = "localhost" alt_names = ["127.0.0.1", "::1", "localhost"] validity_days = 365 key_size = 2048 # Certificate Monitoring [tls.monitoring] check_expiry = true expiry_warning_days = 30 expiry_critical_days = 7 notify_on_expiry = true health_check_enabled = true # Cipher Suites Configuration [tls.ciphers] # Modern cipher suites (recommended for production) allowed_ciphers = [ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256" ] # Legacy support (use with caution) allow_legacy_ciphers = false legacy_ciphers = [ "ECDHE-RSA-AES256-SHA384", "ECDHE-RSA-AES128-SHA256" ] # Key Exchange [tls.key_exchange] ecdh_curves = ["X25519", "prime256v1", "secp384r1"] dh_param_size = 2048 dh_param_file = "" # Path to custom DH parameters # Session Management [tls.session] enable_session_resumption = true session_timeout = 300 # seconds session_cache_size = 1024 enable_session_tickets = true ticket_key_rotation_interval = 3600 # seconds # HSTS (HTTP Strict Transport Security) [tls.hsts] enabled = true max_age = 31536000 # 1 year in seconds include_subdomains = true preload = false # Certificate Transparency [tls.ct] enabled = false log_servers = [ "https://ct.googleapis.com/rocketeer/", "https://ct.googleapis.com/aviator/" ] # Performance Optimization [tls.performance] enable_zero_rtt = false # TLS 1.3 0-RTT (use with caution) enable_early_data = false buffer_size = 16384 max_fragment_size = 16384 enable_compression = false # Disabled for security (CRIME attack) # Security Headers (when TLS is enabled) [tls.security_headers] enable_hsts = true enable_hpkp = false # HTTP Public Key Pinning (deprecated) hpkp_pins = [] hpkp_max_age = 5184000 # 60 days hpkp_include_subdomains = false # HTTP to HTTPS Redirect [tls.redirect] enable_http_redirect = true redirect_port = 80 permanent_redirect = true # Use 301 instead of 302 redirect_status_code = 301 # Certificate Store Configuration [tls.cert_store] type = "file" # "file", "vault", "aws_acm", "azure_keyvault" auto_reload = true reload_interval = 3600 # seconds # AWS Certificate Manager Integration [tls.cert_store.aws_acm] region = "us-west-2" certificate_arn = "" use_iam_role = true access_key_id = "" secret_access_key = "" # HashiCorp Vault Integration [tls.cert_store.vault] address = "https://vault.example.com:8200" token = "" mount_path = "pki" role_name = "web-server" common_name = "example.com" ttl = "8760h" # 1 year # TLS Logging [tls.logging] log_handshakes = false log_errors = true log_certificate_validation = false log_cipher_negotiation = false debug_level = "info" # "trace", "debug", "info", "warn", "error" # Development Settings [tls.development] accept_invalid_certs = false accept_self_signed = true skip_cert_verification = false log_all_tls_traffic = false enable_tls_debug = false # Load Balancer Integration [tls.load_balancer] proxy_protocol = false real_ip_header = "X-Real-IP" trusted_proxies = ["127.0.0.1", "::1"] terminate_at_lb = false # Rate Limiting for TLS Handshakes [tls.rate_limiting] max_handshakes_per_second = 100 max_handshakes_per_ip = 10 handshake_timeout = 10 # seconds