TLS configuration is one of those things everyone knows matters, but the documentation across different platforms is fragmented, inconsistent, and sometimes outdated. GoodTLS collects expert-recommended TLS/SSL configuration guides in one place, organized by application. No sifting through Stack Overflow threads or vendor docs that haven’t been updated since TLS 1.0 was acceptable.

Web Server Guides

The most common use case, and where TLS configuration has the most visibility. GoodTLS covers the major web servers with guides that focus on what actually matters for a modern deployment: TLS 1.2/1.3-only configurations, AEAD-only cipher suites, OCSP stapling, and secure header settings.

• Nginx TLS configuration
• Apache TLS configuration
• Caddy TLS configuration
• HAProxy TLS configuration
• Traefik TLS configuration

Each guide goes beyond a copy-paste snippet and explains the tradeoffs: which cipher suites to drop, why session ticket rotation matters, and what HSTS preloading requires.

Mail Server Guides

Mail server TLS configuration has real deliverability implications. Get the STARTTLS settings wrong and you are either degrading security or breaking mail flow. The Postfix TLS guide and Exim TLS guide cover both outbound and inbound TLS configuration, certificate requirements, and policy enforcement. Dovecot and Sendmail are covered as well.

If you are running your own mail infrastructure, certificate hygiene is part of the picture. Certificate monitoring tracks expiry across all your domains and alerts before anything lapses. An expired cert on your SMTP server will cause delivery failures before most teams even notice. On the deliverability side, blacklist monitoring watches your sending IPs against hundreds of blocklists so you catch reputation problems early.

Database and Infrastructure Guides

Database TLS is frequently an afterthought, but it is essential for any environment where the application and database are not co-located, or where compliance requirements apply. GoodTLS covers:

• PostgreSQL, MySQL, MariaDB, MongoDB, Redis
• OpenSSH, OpenVPN, Docker
• BIND, PowerDNS, Unbound

For infrastructure that handles DNS over TLS or encrypted replication traffic, having a reference for the correct cipher and protocol settings saves time and avoids the configuration drift that comes from guessing.

Why Configuration Quality Matters

A misconfigured TLS stack is not just a security risk. Weak cipher suites, missing OCSP stapling, and deprecated protocol versions can trigger browser warnings, fail PCI DSS or SOC 2 security scans, or cause mail rejections from strict receiving servers. The cost of getting it wrong shows up in unexpected ways.

GoodTLS is free to use and covers most common application stacks. If you are also looking to automate certificate monitoring across your infrastructure, Generator Labs certificate monitoring tracks SSL/TLS certificate expirations with automated alerts before they become outages.