Apache HTTP Proxy installation - Linux

Choose the installation steps for Apache HTTP Proxy according to the Linux distribution you use on your server. If you want to use the Apache to cache also results from ESET Dynamic Threat Defense, see also the related documentation.

Linux installation (distribution generic) for Apache HTTP Proxy

1.Install Apache HTTP Server (at least version 2.4.10).

2.Verify that the following modules are loaded:

access_compat, auth_basic, authn_core, authn_file, authz_core, authz_groupfile,
authz_host, proxy, proxy_http, proxy_connect, cache, cache_disk

3.Add the caching configuration:

CacheEnable disk http://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 200000000
CacheMaxExpire 604800
CacheQuickHandler Off
CacheRoot /var/cache/apache2/mod_cache_disk

4.If the directory /var/cache/apache2/mod_cache_disk does not exist, create it and assign Apache privileges (r,w,x).

5.Add Proxy configuration:

ProxyRequests On
ProxyVia On
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

6.Enable the added caching proxy and configuration (if configuration is in the main Apache configuration file, you can skip this step).

7.If necessary, change listening to your desired port (port 3128 is set by default).

8.Optional basic authentication:

oAdd authentication configuration to the proxy directive:

AuthType Basic
AuthName "Password Required"
AuthUserFile /etc/apache2/password.file
AuthGroupFile /etc/apache2/group.file
Require group usergroup

oCreate a password file using htpasswd.exe -c

oManually create a file named group.file with usergroup:username

9.Restart the Apache HTTP Server.

Ubuntu Server 14.10 and other Debian-based Linux distributions installation of Apache HTTP Proxy

1.Install the latest version of Apache HTTP Server from apt repository:

sudo apt-get install apache2

2.Execute the following command to load the required Apache modules:

sudo a2enmod access_compat auth_basic authn_core authn_file authz_core\

authz_groupfile authz_host proxy proxy_http proxy_connect cache cache_disk

3.Edit the Apache caching configuration file:

sudo vim /etc/apache2/mods-available/cache_disk.conf

and copy/paste the following configuration:

CacheEnable disk http://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 200000000
CacheMaxExpire 604800
CacheQuickHandler Off
CacheRoot /var/cache/apache2/mod_cache_disk

4. This step should not be required, but if the caching directory is missing, run following commands:

sudo mkdir /var/cache/apache2/mod_cache_disk
sudo chown www-data /var/cache/apache2/mod_cache_disk
sudo chgrp www-data /var/cache/apache2/mod_cache_disk

5.Edit the Apache proxy configuration file:

sudo vim /etc/apache2/conf-available/proxy.conf

and copy/paste the following configuration:

ProxyRequests On
ProxyVia On
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

6.Enable the configuration files you edited in earlier steps:

sudo a2enconf caching.conf proxy.conf

7.Switch the listening port of Apache HTTP Server to 3128. Edit the file /etc/apache2/ports.conf and replace Listen 80 with Listen 3128.

8.Optional basic authentication:

sudo vim /etc/apache2/mods-enabled/proxy.conf

oCopy/paste authentication configuration before </Proxy>:

AuthType Basic
AuthName "Password Required"
AuthUserFile /etc/apache2/password.file
AuthGroupFile /etc/apache2/group.file
Require group usergroup

oInstall apache2-utils and create a new password file (for example username: user, group: usergroup):

sudo apt-get install apache2-utils
sudo htpasswd -c /etc/apache2/password.file user

oCreate a file called group:

sudo vim /etc/apache2/group.file

and copy/paste the following line:

usergroup:user

9.Restart the Apache HTTP Server using the following command:

sudo service apache2 restart

 

Forwarding for ESET communication only

 

To allow forwarding of ESET communication only, remove the following:

<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

And add the following:

<Proxy *>
Deny from all
</Proxy>

#*.eset.com:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

#*.eset.eu:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

#Antispam module (ESET Mail Security only):

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

#Services (activation)

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

#ESET servers accessed directly via IP address:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

To allow forwarding of all communication, add the following:

<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

and remove the following:

<Proxy *>
Deny from all
</Proxy>

#*.eset.com:
ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

#*.eset.eu:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

#Antispam module (ESET Mail Security only):
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

#Services (activation)
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

#ESET servers accessed directly via IP address:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

 

 

Proxy chaining (all traffic)

ESMC does not support proxy chaining when proxies require authentication. You can use your own transparent web proxy solution, however there may be additional configuration required beyond what is mentioned here. Add the following to the proxy configuration (password is working only on child proxy):

ProxyRemote * http://IP_ADDRESS:3128

When using Proxy chaining on the ESMC Virtual Appliance, the SELinux policy must be modified. Open the terminal on the ESMC VA and run the following command:

/usr/sbin/setsebool -P httpd_can_network_connect 1