Encryption in Transit
TLS 1.3 and mTLS for all network communication.
Overview
All network traffic is encrypted: - External Traffic: TLS 1.3 with strong cipher suites - Internal Traffic: mTLS (mutual TLS) for service mesh - Compliance: FIPS 140-2, NIST 800-53 SC-8, FedRAMP - Certificate Management: Automated rotation with cert-manager
TLS 1.3 Configuration
NGINX (API Gateway)
nginx.conf:
server {
listen 443 ssl http2;
server_name gateway.local.bluefly.io;
# TLS 1.3 only
ssl_protocols TLSv1.3;
# Strong cipher suites
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256';
ssl_prefer_server_ciphers off;
# Certificates
ssl_certificate /etc/certs/gateway.crt;
ssl_certificate_key /etc/certs/gateway.key;
ssl_certificate_key /etc/certs/gateway.key;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/certs/ca-chain.crt;
# Session cache
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Security headers
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
location / {
proxy_pass http://backend;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/certs/ca.crt;
}
}
Node.js (Express)
server.ts:
import * as https from 'https';
import * as fs from 'fs';
import express from 'express';
const app = express();
const httpsOptions = {
// TLS 1.3
minVersion: 'TLSv1.3' as const,
maxVersion: 'TLSv1.3' as const,
// Certificates
key: fs.readFileSync('/etc/certs/server.key'),
cert: fs.readFileSync('/etc/certs/server.crt'),
ca: fs.readFileSync('/etc/certs/ca.crt'),
// Cipher suites
ciphers: [
'TLS_AES_256_GCM_SHA384',
'TLS_CHACHA20_POLY1305_SHA256',
'TLS_AES_128_GCM_SHA256'
].join(':'),
// Prefer server ciphers
honorCipherOrder: false,
// Session resumption
sessionTimeout: 600,
ticketKeys: undefined, // Disable session tickets
// OCSP stapling
requestOCSP: true
};
const server = https.createServer(httpsOptions, app);
server.listen(3001, () => {
console.log('HTTPS server running on port 3001');
});
Mutual TLS (mTLS)
Service Mesh Configuration
Istio mTLS Policy:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: llm-platform
spec:
mtls:
mode: STRICT # Require mTLS for all traffic
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: mtls-for-all
namespace: llm-platform
spec:
host: "*.llm-platform.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL # Use Istio-managed certificates
gRPC with mTLS
server.ts:
import * as grpc from '@grpc/grpc-js';
import * as fs from 'fs';
// Load certificates
const serverCert = fs.readFileSync('/etc/certs/server.crt');
const serverKey = fs.readFileSync('/etc/certs/server.key');
const caCert = fs.readFileSync('/etc/certs/ca.crt');
// Create mTLS credentials
const credentials = grpc.ServerCredentials.createSsl(
caCert, // CA certificate
[{
cert_chain: serverCert,
private_key: serverKey
}],
true // Check client certificate
);
// Create gRPC server
const server = new grpc.Server();
// Add services
server.addService(AgentMeshService, implementation);
// Start server with mTLS
server.bindAsync(
'0.0.0.0:50051',
credentials,
(err, port) => {
if (err) throw err;
console.log(`gRPC server with mTLS running on port ${port}`);
server.start();
}
);
client.ts:
import * as grpc from '@grpc/grpc-js';
import * as fs from 'fs';
// Load certificates
const clientCert = fs.readFileSync('/etc/certs/client.crt');
const clientKey = fs.readFileSync('/etc/certs/client.key');
const caCert = fs.readFileSync('/etc/certs/ca.crt');
// Create mTLS credentials
const credentials = grpc.credentials.createSsl(
caCert,
clientKey,
clientCert
);
// Create client
const client = new AgentMeshClient(
'mesh.local.bluefly.io:50051',
credentials
);
// Make authenticated call
client.registerAgent({ agentId: 'agent-001' }, (err, response) => {
if (err) console.error(err);
else console.log(response);
});
Certificate Management
Cert-Manager (Kubernetes)
ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: internal-ca
spec:
ca:
secretName: ca-key-pair
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gateway-tls
namespace: llm-platform
spec:
secretName: gateway-tls-secret
issuerRef:
name: internal-ca
kind: ClusterIssuer
commonName: gateway.local.bluefly.io
dnsNames:
- gateway.local.bluefly.io
- "*.local.bluefly.io"
duration: 2160h # 90 days
renewBefore: 720h # 30 days before expiration
privateKey:
algorithm: RSA
size: 2048
usages:
- digital signature
- key encipherment
- server auth
- client auth
Automatic Rotation
Rotation Schedule: - Leaf certificates: 90 days - Intermediate CA: 1 year - Root CA: 10 years - Auto-renewal: 30 days before expiration
Rotation Monitoring:
class CertificateMonitor {
async checkExpiration() {
const certs = await this.listCertificates();
for (const cert of certs) {
const daysUntilExpiry = this.getDaysUntilExpiry(cert);
if (daysUntilExpiry <= 30) {
await this.alert({
severity: 'warning',
message: `Certificate ${cert.name} expires in ${daysUntilExpiry} days`,
action: 'renew'
});
}
if (daysUntilExpiry <= 7) {
await this.alert({
severity: 'critical',
message: `Certificate ${cert.name} expires in ${daysUntilExpiry} days!`,
action: 'urgent_renew'
});
// Auto-renew
await this.renewCertificate(cert);
}
}
}
}
Protocol-Specific Encryption
PostgreSQL SSL
postgresql.conf:
ssl = on
ssl_cert_file = '/etc/certs/server.crt'
ssl_key_file = '/etc/certs/server.key'
ssl_ca_file = '/etc/certs/ca.crt'
ssl_min_protocol_version = 'TLSv1.3'
ssl_ciphers = 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'
ssl_prefer_server_ciphers = on
Client Connection:
import { Pool } from 'pg';
const pool = new Pool({
host: 'postgres.local.bluefly.io',
port: 5432,
database: 'llm_platform',
user: 'app_user',
password: process.env.DB_PASSWORD,
ssl: {
rejectUnauthorized: true,
ca: fs.readFileSync('/etc/certs/ca.crt').toString(),
cert: fs.readFileSync('/etc/certs/client.crt').toString(),
key: fs.readFileSync('/etc/certs/client.key').toString()
}
});
Redis TLS
redis.conf:
tls-port 6380
port 0 # Disable non-TLS
tls-cert-file /etc/certs/redis.crt
tls-key-file /etc/certs/redis.key
tls-ca-cert-file /etc/certs/ca.crt
tls-auth-clients yes
tls-protocols "TLSv1.3"
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Client Connection:
import Redis from 'ioredis';
const redis = new Redis({
port: 6380,
host: 'redis.local.bluefly.io',
tls: {
rejectUnauthorized: true,
ca: fs.readFileSync('/etc/certs/ca.crt'),
cert: fs.readFileSync('/etc/certs/client.crt'),
key: fs.readFileSync('/etc/certs/client.key')
}
});
WebSocket Security
Secure WebSocket (WSS)
Server:
import { WebSocketServer } from 'ws';
import * as https from 'https';
const server = https.createServer(httpsOptions, app);
const wss = new WebSocketServer({
server,
verifyClient: (info, callback) => {
// Verify JWT token
const token = info.req.headers.authorization?.split(' ')[1];
jwt.verify(token, publicKey, (err, decoded) => {
callback(err === null, err ? 401 : 200);
});
}
});
wss.on('connection', (ws, req) => {
console.log('Secure WebSocket connection established');
ws.on('message', (data) => {
// Handle encrypted message
});
});
Client:
const ws = new WebSocket('wss://tracer.local.bluefly.io/stream', {
headers: {
Authorization: `Bearer ${jwtToken}`
},
rejectUnauthorized: true,
ca: fs.readFileSync('/etc/certs/ca.crt')
});
VPN (IPSec)
For admin/developer access:
strongSwan Configuration:
conn bluefly-vpn
keyexchange=ikev2
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
dpdaction=clear
dpddelay=300s
rekey=yes
left=%any
leftauth=eap-mschapv2
leftid=%any
right=vpn.bluefly.io
rightauth=pubkey
rightsendcert=always
rightid="CN=vpn.bluefly.io"
rightsubnet=10.0.0.0/8
auto=add
Monitoring & Validation
TLS Scanning
testssl.sh:
# Scan TLS configuration
testssl.sh --severity MEDIUM \
https://gateway.local.bluefly.io
# Check certificate
openssl s_client -connect gateway.local.bluefly.io:443 \
-showcerts < /dev/null
# Verify TLS 1.3
nmap --script ssl-enum-ciphers -p 443 gateway.local.bluefly.io
Certificate Expiration Monitoring
# Check expiration
echo | openssl s_client -connect gateway.local.bluefly.io:443 2>/dev/null | \
openssl x509 -noout -enddate
# Prometheus metric
curl -s https://gateway.local.bluefly.io/metrics | \
grep 'ssl_certificate_expiry_seconds'
Compliance
NIST 800-53 SC-8
SC-8: Transmission Confidentiality and Integrity
✅ All network traffic encrypted (TLS 1.3, mTLS) ✅ Strong cipher suites only ✅ Certificate-based authentication ✅ Perfect Forward Secrecy (PFS) ✅ HSTS enabled (HTTP→HTTPS redirect)
FedRAMP Requirements
✅ FIPS 140-2 validated crypto ✅ Mutual authentication (mTLS) ✅ Certificate rotation < 90 days ✅ Continuous monitoring ✅ Audit logging