jesus/Rustelo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Rustelo/config/features/tls/prod.toml
Jesús Pérex 515c9343f4
Some checks failed
CI/CD Pipeline / Test Suite (push) Has been cancelled
Details
CI/CD Pipeline / Security Audit (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Image (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI/CD Pipeline / Performance Benchmarks (push) Has been cancelled
Details
CI/CD Pipeline / Cleanup (push) Has been cancelled
Details
chore: add config path
2025-07-07 23:13:01 +01:00

124 lines
3.1 KiB
TOML
Raw Blame History

# TLS Feature Configuration - Production Environment
# Settings optimized for production security and performance
[features]
tls = true
# TLS Configuration - Production
[server.tls]
enabled = true
cert_path = "${TLS_CERT_PATH}"
key_path = "${TLS_KEY_PATH}"
ca_path = "${TLS_CA_PATH}"
protocols = ["TLSv1.3"]
ciphers = [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-RSA-AES128-GCM-SHA256"
]
cert_chain_path = "${TLS_CERT_CHAIN_PATH}"
dhparam_path = "${TLS_DHPARAM_PATH}"
# Self-signed certificate configuration - Disabled for production
[tls.self_signed]
generate_on_startup = false
common_name = ""
subject_alt_names = []
key_size = 4096
valid_days = 90
organization = "${COMPANY_NAME}"
country = "${COUNTRY_CODE}"
state = "${STATE}"
locality = "${CITY}"
# ACME/Let's Encrypt - Production
[tls.acme]
enabled = true
directory_url = "https://acme-v02.api.letsencrypt.org/directory"
email = "${ACME_EMAIL}"
domains = ["${DOMAIN}", "www.${DOMAIN}"]
challenge_type = "http"
key_type = "ecdsa256"
auto_renew = true
renew_days_before_expiry = 30
backup_count = 5
# mTLS (Mutual TLS) - Production
[tls.mtls]
enabled = false
client_ca_path = "${CLIENT_CA_PATH}"
verify_client_cert = false
require_client_cert = false
client_cert_header = "X-Client-Cert"
# TLS Session Management - Production
[tls.session]
timeout = 300 # 5 minutes
cache_size = 10000
resumption_enabled = true
session_tickets = true
session_ticket_key_rotation = 3600 # 1 hour
# Security Settings - Strict for production
[tls.security]
min_version = "TLSv1.3"
max_version = "TLSv1.3"
prefer_server_ciphers = true
enable_sni = true
enable_ocsp_stapling = true
enable_hsts = true
hsts_max_age = 31536000 # 1 year
hsts_include_subdomains = true
hsts_preload = true
# Certificate Monitoring - Production
[tls.monitoring]
enabled = true
check_expiry = true
expiry_warning_days = 30
alert_email = "${ADMIN_EMAIL}"
certificate_transparency_logs = true
# Performance Settings - Production
[tls.performance]
enable_http2 = true
enable_http3 = false
compression = false # Disabled for security (BREACH attack)
early_data = false # Disabled for security
buffer_size = 16384
connection_pool_size = 1000
# Certificate Rotation - Production
[tls.rotation]
enabled = true
backup_old_certs = true
backup_directory = "certs/backup"
rotation_schedule = "0 2 * * 0" # Weekly at 2 AM Sunday
max_backup_age_days = 90
# Development Settings - Disabled for production
[tls.development]
allow_self_signed = false
skip_verification = false
log_handshake_errors = false
# Compliance and Auditing - Production
[tls.compliance]
log_all_connections = true
log_certificate_details = true
audit_log_path = "logs/tls_audit.log"
retain_logs_days = 365
pci_dss_compliant = true
fips_140_2_compliant = false
# Load Balancer Integration - Production
[tls.load_balancer]
proxy_protocol = false
real_ip_header = "X-Real-IP"
forwarded_proto_header = "X-Forwarded-Proto"
trust_proxy_headers = true
trusted_proxies = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
Reference in New Issue View Git Blame Copy Permalink