Re: [EXTERNAL] Re: Flow collection and analysis

[Eric Kuhnke <eric.kuhnke () gmail com>]

If the purpose of the software is not to be a dedicated purpose http
daemon, use something that already exists with a deep feature set that can
be configured as needed for the purpose, such as apache2 with openssl or
nginx.

It's not reasonable to expect that the developers of elastiflow reinvent
the wheel and write their own httpd with TLS support, if it can be easily
put "behind" apache2 or nginx. The risks of having people who aren't full
time httpd specialists write their own http daemon and mitigate every
possible security risk in a TLS setup are greater than using what already
exists.

It's a one page size configuration file in nginx.




On Wed, 26 Jan 2022 at 05:17, Laura Smith via NANOG <nanog () nanog org> wrote:

> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> On Wednesday, January 26th, 2022 at 11:08, Eric Kuhnke <
> eric.kuhnke () gmail com> wrote:
>
> > elastiflow is extremely easy to run on an httpd listening only on
> localhost and proxy behind a simple nginx TLS1.2/1.3 only configuration
> listening on port 443.
> >
>
> I don't know about anyone else here, but frankly in 2022 TLS support
> should be a first class citizen.
>
> If I have to mess around with running something else as a proxy in front
> of it then that's the end of my software evaluation.
>
> Crypto is no longer "nice to have" option these days.