Configuration Reference
Configuration File Format
Section titled “Configuration File Format”SecBeat uses TOML format for configuration. Configuration is specified via environment variables.
# Specify config file (without .toml extension)SECBEAT_CONFIG=config.prod ./mitigation-node
# Or use absolute path to directory containing configSECBEAT_CONFIG=/etc/secbeat/config.prod ./mitigation-nodePlatform Settings
Section titled “Platform Settings”[platform]# Operation mode: tcp, syn, l7, or automode = "l7"
# Node identifier (auto-generated if not set)node_id = "node-1"
# Environment: dev, staging, prodenvironment = "prod"Network Configuration
Section titled “Network Configuration”[network]# Listen address for incoming trafficlisten_address = "0.0.0.0:8443"
# Backend upstream serversupstream_address = "127.0.0.1:8080"
# Connection limitsmax_connections = 100000connection_timeout_seconds = 60
# Buffer sizes (bytes)buffer_size = 65536
# TCP optionstcp_nodelay = truetcp_keepalive = trueTLS Configuration
Section titled “TLS Configuration”[tls]enabled = truecert_path = "/etc/secbeat/certs/cert.pem"key_path = "/etc/secbeat/certs/key.pem"
# Minimum TLS version: 1.2 or 1.3min_tls_version = "1.3"
# Cipher suites (leave empty for defaults)cipher_suites = [ "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]DDoS Protection
Section titled “DDoS Protection”[ddos.rate_limiting]# Global rate limitsglobal_requests_per_second = 100000
# Per-IP rate limitsper_ip_requests_per_second = 1000per_ip_connections = 100
# Burst allowanceburst_size = 5000
[ddos.blacklist]# IP addresses to blockips = ["192.0.2.100", "203.0.113.50"]
# CIDR ranges to blockcidrs = ["10.0.0.0/8"]
# Auto-blacklist thresholdauto_blacklist_threshold = 10000auto_blacklist_duration_seconds = 3600 # 3600 seconds = 1 hourWAF Configuration
Section titled “WAF Configuration”[waf]enabled = true
# Block common attack patternsblock_sql_injection = trueblock_xss = trueblock_path_traversal = trueblock_command_injection = true
# Custom rules filerules_file = "/etc/secbeat/waf-rules.json"
# Action: block, log, or challengedefault_action = "block"SYN Proxy Settings
Section titled “SYN Proxy Settings”[syn_proxy]enabled = true
# Cookie secret (change in production!)cookie_secret = "${SYN_COOKIE_SECRET}"
# Timeout for handshake completiontimeout_seconds = 30
# Maximum SYN rate per IPmax_syn_per_second = 1000Metrics & Telemetry
Section titled “Metrics & Telemetry”[telemetry]# Prometheus metrics portmetrics_port = 9090
# Internal metrics portinternal_metrics_port = 9191
# Enable detailed metricsdetailed_metrics = true
# Metrics update intervalupdate_interval_seconds = 10Management API
Section titled “Management API”[management_api]enabled = truebind_address = "127.0.0.1:9999"
# API key for authenticationapi_key = "${MANAGEMENT_API_KEY}"api_key_header = "X-SecBeat-API-Key"
# Securityrequire_https = false # Set true in productionrate_limit_per_minute = 100Orchestrator Integration
Section titled “Orchestrator Integration”[orchestrator]enabled = trueendpoint = "http://localhost:3030"
# Authenticationapi_key = "${ORCHESTRATOR_API_KEY}"
# Registrationauto_register = trueheartbeat_interval_seconds = 30
# NATS connectionnats_url = "nats://localhost:4222"Logging
Section titled “Logging”[logging]# Log level: error, warn, info, debug, tracelevel = "info"
# Log format: json or textformat = "json"
# Output: stdout, stderr, or file pathoutput = "stdout"
# File rotation (if using file output)max_size_mb = 100max_files = 10Performance Tuning
Section titled “Performance Tuning”[performance]# Worker threads (default: number of CPU cores)worker_threads = 8
# Enable io_uring (Linux 5.1+)io_uring_enabled = true
# Memory pool sizememory_pool_size_mb = 512Webhooks
Section titled “Webhooks”[webhooks]enabled = true
# Webhook endpointsendpoints = [ "https://your-app.com/webhooks/secbeat"]
# Events to sendevents = [ "attack_detected", "node_health", "rule_triggered"]
# Retry configurationmax_retries = 3retry_delay_seconds = 5Environment Variables
Section titled “Environment Variables”SecBeat supports environment variable substitution in config files:
# Use ${VAR_NAME} syntaxcookie_secret = "${SYN_COOKIE_SECRET}"api_key = "${MANAGEMENT_API_KEY}"Set environment variables:
export SYN_COOKIE_SECRET=$(openssl rand -hex 32)export MANAGEMENT_API_KEY=$(openssl rand -hex 32)export ORCHESTRATOR_API_KEY=$(openssl rand -hex 32)Configuration Examples
Section titled “Configuration Examples”Development
Section titled “Development”[platform]mode = "tcp"environment = "dev"
[network]listen_address = "0.0.0.0:8080"max_connections = 1000
[tls]enabled = false
[logging]level = "debug"Production
Section titled “Production”[platform]mode = "l7"environment = "prod"
[network]listen_address = "0.0.0.0:443"max_connections = 100000tcp_nodelay = true
[tls]enabled = truecert_path = "/etc/secbeat/certs/cert.pem"key_path = "/etc/secbeat/certs/key.pem"min_tls_version = "1.3"
[ddos.rate_limiting]global_requests_per_second = 100000per_ip_requests_per_second = 1000
[logging]level = "info"format = "json"Next Steps
Section titled “Next Steps”- API Reference - API endpoints
- CLI Reference - Command-line options
- Installation - Deployment guides