jesus/Rustelo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Rustelo/config/features/tls/example.toml
Jesús Pérex 515c9343f4
Some checks failed
CI/CD Pipeline / Test Suite (push) Has been cancelled
Details
CI/CD Pipeline / Security Audit (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Image (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI/CD Pipeline / Performance Benchmarks (push) Has been cancelled
Details
CI/CD Pipeline / Cleanup (push) Has been cancelled
Details
chore: add config path
2025-07-07 23:13:01 +01:00

267 lines
14 KiB
TOML
Raw Blame History

# TLS Feature Configuration - Example Environment
# Complete documentation of all SSL/TLS security options
[features]
tls = true
[tls]
enabled = true
force_https = true # Force HTTPS redirects
cert_file = "/etc/ssl/certs/example.crt" # TLS certificate file path
key_file = "/etc/ssl/private/example.key" # TLS private key file path
ca_file = "/etc/ssl/certs/ca-bundle.crt" # CA certificate bundle file path
cert_chain_file = "" # Certificate chain file (optional)
dhparam_file = "/etc/ssl/dhparam.pem" # Diffie-Hellman parameters file
protocols = ["TLSv1.2", "TLSv1.3"] # Supported TLS protocol versions
prefer_server_ciphers = true # Prefer server cipher order
session_timeout = 300 # TLS session timeout in seconds
session_cache_size = 20480 # TLS session cache size
session_tickets = false # Disable session tickets for security
renegotiation = false # Disable TLS renegotiation
compression = false # Disable TLS compression (CRIME attack)
[tls.ciphers]
# Modern cipher suites for TLS 1.2 and 1.3
cipher_suites = [
# TLS 1.3 ciphers (most secure)
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
# TLS 1.2 ciphers (secure)
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256"
]
# Cipher suite selection order
cipher_order = "server" # Use server cipher order preference
ecdh_curves = [ # Supported ECDH curves
"X25519", "prime256v1", "secp384r1"
]
signature_algorithms = [ # Supported signature algorithms
"rsa_pss_rsae_sha256",
"rsa_pss_rsae_sha384",
"rsa_pss_rsae_sha512",
"ecdsa_secp256r1_sha256",
"ecdsa_secp384r1_sha384",
"ecdsa_secp521r1_sha512",
"rsa_pkcs1_sha256",
"rsa_pkcs1_sha384",
"rsa_pkcs1_sha512"
]
[tls.security]
# HTTP Strict Transport Security (HSTS)
hsts_enabled = true # Enable HSTS
hsts_max_age = 31536000 # HSTS max age (1 year)
hsts_include_subdomains = true # Include subdomains in HSTS
hsts_preload = true # Enable HSTS preload
hsts_header = "Strict-Transport-Security" # HSTS header name
# Perfect Forward Secrecy
pfs_enabled = true # Enable Perfect Forward Secrecy
ephemeral_keys = true # Use ephemeral keys
key_exchange_algorithms = [ # Supported key exchange algorithms
"ECDHE", "DHE"
]
# OCSP (Online Certificate Status Protocol)
ocsp_enabled = true # Enable OCSP
ocsp_stapling = true # Enable OCSP stapling
ocsp_must_staple = true # Require OCSP must-staple
ocsp_responder_url = "" # OCSP responder URL (auto-detect if empty)
ocsp_cache_timeout = 3600 # OCSP response cache timeout
# Certificate Transparency
ct_enabled = true # Enable Certificate Transparency
ct_logs = [ # Certificate Transparency log URLs
"https://ct.googleapis.com/logs/argon2020/",
"https://ct.googleapis.com/logs/argon2021/",
"https://ct.googleapis.com/logs/argon2022/"
]
ct_sct_required = true # Require SCT (Signed Certificate Timestamp)
[tls.certificates]
# Certificate management and validation
cert_validation = true # Enable certificate validation
verify_hostname = true # Verify hostname in certificate
verify_expiration = true # Verify certificate expiration
expiration_warning_days = 30 # Warn when certificate expires in N days
check_revocation = true # Check certificate revocation status
allow_self_signed = false # Allow self-signed certificates (dev only)
cert_store_path = "/etc/ssl/certs" # Certificate store path
trusted_ca_file = "/etc/ssl/certs/ca-certificates.crt" # Trusted CA file
# Multi-domain certificates
sni_enabled = true # Enable Server Name Indication (SNI)
sni_strict = true # Strict SNI checking
default_cert = "/etc/ssl/certs/default.crt" # Default certificate
sni_certificates = [
{ hostname = "api.example.com", cert_file = "/etc/ssl/certs/api.example.com.crt", key_file = "/etc/ssl/private/api.example.com.key" },
{ hostname = "admin.example.com", cert_file = "/etc/ssl/certs/admin.example.com.crt", key_file = "/etc/ssl/private/admin.example.com.key" }
] # SNI certificate mappings
[tls.auto_renewal]
enabled = true # Enable automatic certificate renewal
provider = "lets_encrypt" # Certificate provider: lets_encrypt, internal_ca
acme_enabled = true # Enable ACME protocol
acme_directory = "https://acme-v02.api.letsencrypt.org/directory" # ACME directory URL
acme_email = "admin@example.com" # ACME account email
acme_key_type = "ec256" # ACME key type: rsa2048, rsa4096, ec256, ec384
acme_challenge = "http-01" # ACME challenge type: http-01, dns-01, tls-alpn-01
renewal_threshold = 2592000 # Renewal threshold in seconds (30 days)
renewal_schedule = "0 2 * * *" # Renewal check schedule (daily at 2 AM)
backup_old_certs = true # Backup old certificates before renewal
post_renewal_hooks = [ # Commands to run after renewal
"systemctl reload nginx",
"curl -X POST https://example.com/webhook/cert-renewed"
]
# DNS challenge configuration (for wildcard certificates)
dns_provider = "cloudflare" # DNS provider for DNS-01 challenge
dns_credentials = { api_token = "${CLOUDFLARE_API_TOKEN}", zone_id = "${CLOUDFLARE_ZONE_ID}" }
dns_propagation_timeout = 300 # DNS propagation timeout in seconds
[tls.client_auth]
enabled = false # Enable client certificate authentication
require_client_cert = false # Require client certificates
verify_client_cert = true # Verify client certificates
client_ca_file = "/etc/ssl/certs/client-ca.crt" # Client CA certificate file
client_cert_store = "/etc/ssl/client-certs" # Client certificate store
revocation_check = true # Check client certificate revocation
crl_file = "/etc/ssl/crl/client-crl.pem" # Certificate Revocation List file
ocsp_client_check = true # OCSP check for client certificates
# Client certificate policies
client_cert_policies = [
{ path = "/api/admin/*", require_cert = true, allowed_cas = ["internal-ca", "partner-ca"] },
{ path = "/api/public/*", require_cert = false, allowed_cas = [] }
]
[tls.monitoring]
enabled = true # Enable TLS monitoring
health_checks = true # Enable TLS health checks
cert_expiry_monitoring = true # Monitor certificate expiry
cipher_monitoring = true # Monitor cipher usage
protocol_monitoring = true # Monitor protocol usage
handshake_monitoring = true # Monitor TLS handshakes
error_monitoring = true # Monitor TLS errors
performance_monitoring = true # Monitor TLS performance
# Monitoring thresholds and alerts
# Monitoring thresholds and alerts
alert_thresholds = [
{ metric = "cert_expiry_days", value = 30, description = "Alert when certificate expires in N days" },
{ metric = "handshake_errors", value = 5.0, description = "Alert when handshake error rate > N%" },
{ metric = "weak_cipher_usage", value = 1.0, description = "Alert when weak cipher usage > N%" },
{ metric = "tls_version_compliance", value = 95.0, description = "Alert when modern TLS usage < N%" }
]
# Monitoring endpoints
metrics_endpoint = "/metrics/tls" # TLS metrics endpoint
health_endpoint = "/health/tls" # TLS health check endpoint
status_endpoint = "/status/tls" # TLS status endpoint
[tls.logging]
enabled = true # Enable TLS logging
log_level = "info" # Log level: error, warn, info, debug
log_file = "/var/log/rustelo/tls.log" # TLS log file path
log_format = "json" # Log format: json, plain
log_rotation = true # Enable log rotation
max_log_size = 104857600 # Maximum log file size (100MB)
max_log_files = 10 # Maximum log files to keep
# What to log
log_handshakes = true # Log TLS handshakes
log_certificate_events = true # Log certificate events
log_errors = true # Log TLS errors
log_cipher_usage = false # Log cipher usage (verbose)
log_client_certs = true # Log client certificate events
log_performance = false # Log performance metrics (verbose)
log_security_events = true # Log security-related events
[tls.performance]
enabled = true # Enable performance optimizations
session_resumption = true # Enable session resumption
session_cache = "shared" # Session cache type: off, builtin, shared
cache_size = 1048576 # Session cache size in bytes
cache_timeout = 300 # Session cache timeout in seconds
early_data = false # Enable TLS 1.3 early data (0-RTT)
max_early_data = 16384 # Maximum early data size
async_handshakes = true # Enable async TLS handshakes
handshake_timeout = 10 # Handshake timeout in seconds
buffer_size = 16384 # TLS buffer size
tcp_nodelay = true # Disable Nagle's algorithm for TLS
keepalive = true # Enable TCP keepalive for TLS connections
[tls.compatibility]
# Compatibility settings for older clients
legacy_support = false # Enable legacy TLS support (not recommended)
min_tls_version = "1.2" # Minimum TLS version
max_tls_version = "1.3" # Maximum TLS version
fallback_scsv = true # Enable Fallback SCSV (RFC 7507)
secure_renegotiation = true # Enable secure renegotiation
client_renegotiation = false # Allow client-initiated renegotiation
compression_disabled = true # Disable TLS compression
rc4_disabled = true # Disable RC4 ciphers
weak_dh_disabled = true # Disable weak DH parameters
export_ciphers_disabled = true # Disable export ciphers
null_ciphers_disabled = true # Disable NULL ciphers
anonymous_ciphers_disabled = true # Disable anonymous ciphers
[tls.testing]
enabled = false # Enable TLS testing (development only)
test_certificates = true # Use test certificates
self_signed_allowed = true # Allow self-signed certificates
weak_ciphers_allowed = false # Allow weak ciphers for testing
insecure_protocols_allowed = false # Allow insecure protocols for testing
certificate_validation_disabled = false # Disable certificate validation
hostname_verification_disabled = false # Disable hostname verification
test_client_certs = false # Use test client certificates
mock_ocsp_responses = false # Mock OCSP responses
ssl_labs_testing = false # Enable SSL Labs API testing
[tls.compliance]
# Compliance with security standards
pci_dss_compliance = true # Enable PCI DSS compliance
fips_mode = false # Enable FIPS mode
common_criteria = false # Enable Common Criteria compliance
fedramp_compliance = false # Enable FedRAMP compliance
hipaa_compliance = false # Enable HIPAA compliance
gdpr_compliance = true # Enable GDPR compliance
# Security policy enforcement
security_policy = "modern" # Security policy: modern, intermediate, legacy
policy_enforcement = "strict" # Policy enforcement: strict, moderate, relaxed
audit_mode = false # Enable audit mode (log violations only)
block_violations = true # Block policy violations
violation_logging = true # Log policy violations
[tls.advanced]
# Advanced TLS configuration options
custom_extensions = [] # Custom TLS extensions
alpn_protocols = ["h2", "http/1.1"] # ALPN protocol list
npn_protocols = [] # NPN protocol list (deprecated)
key_update_enabled = true # Enable TLS 1.3 key updates
post_handshake_auth = false # Enable post-handshake authentication
record_size_limit = 16384 # TLS record size limit
max_fragment_length = 16384 # Maximum fragment length
heartbeat_enabled = false # Enable heartbeat extension (disabled for security)
ticket_keys_rotation = true # Enable ticket key rotation
psk_enabled = false # Enable pre-shared keys
external_psk = false # Enable external PSK
hybrid_encryption = false # Enable hybrid encryption (quantum-resistant)
# Custom cipher suites for specific use cases
custom_cipher_suites = [] # Custom cipher suite configurations
cipher_suite_preferences = [] # Cipher suite preference overrides
protocol_preferences = [] # Protocol preference overrides
Reference in New Issue View Git Blame Copy Permalink